After years of working in the somewhat arcane arena of digital identity and authentication, I’ve found my attention to what’s going on slipping somewhat.
Frankly, it just hasn’t been all that interesting. The many attempts to rationalize the messy world of multiple ID’s and passwords seem to collapse, either of their own weight or for lack of interest. (Although I will concede that within enterprises and among their supply chains, there has been significant progress.)
Those of us who were watching what banks would do in the aftermath of the FFIEC’s call for stronger authentication several years ago were not surprised to see the outcome. Instead of opting for expensive (and probably annoying) FOBs or tokens, banks simply opted to beef up their behind-the-scenes security – using pattern anomaly detection techniques and a grab-bag of interesting device fingerprinting and IP address recognition capabilities.
What has been a bit surprising was how pervasive the implementations of KBA (“Knowledge Based Authentication”) have been – most typically as a fall-back authentication if upfront procedures failed or produced questions. Banks have used KBA techniques, but so, increasingly, have other online services.
As professionals, we all were seduced by the intriguing variations of KBA: past-history questions (“What was your last transaction with us?”), credit-bureau-database questions (“Which of the following addresses have you lived at?”) or other-database questions (“What color car did you drive in 1985?”). As consumers, we have laughed at the potential for error with some of the questions (“OK, today Sophie is my favorite pet, but last year it was Max…”)
But I really hit the wall yesterday when exposed to a new level of annoying (what I would actually call customer- hostile ) KBA.
Here’s the story. I am a new, and formerly reasonably content, subscriber to AT&T’s mobile services. Along with half the people I know, I was drawn over to AT&T by my desire to have an Apple iPhone (oh, it’s so cool…) and the industry’s perfection of mobile number portability made it all possible. So I bought a pretty big package – voice and data plans for my iPhone, and voice, text messaging and Internet access for the others on my “family plan”. I bought everything online, but with frequent consultations with AT&T’s customer support team – who, generally speaking, did a great job. They had clearly all been through the same customer support training sessions (“Do I have your permission to put you on hold now?”) and seemed to know the answers to most questions.
Like a good girl, I did what I was told and registered for AT&T ‘s online service platform, and accessed this several times (with my ID and password) to review my bill, etc. And, using the same platform, I paid my bill.
So why am I telling you this? Just to point out that 1) AT&T has a valuable new customer and 2) that they can, and do, authenticate me by my ID and password.
I used this same ID and password a few days ago, AT THE SAME COMPUTER AND FROM THE SAME NETWORK to order a data card for my laptop, with accompanying service. That’s when the trouble started.
I got an email from AT&T saying that my “order required verification”. I called back – it took 10 minutes to get a person, explain that I was RETURNING THEIR CALL, and identify myself sufficiently (last four, ZIP code….) to have a conversation. THEN I was put through their KBA routine. It took 15 minutes! They read out four questions, each drawing on a list of possible past addresses from my credit file. I could not interrupt the dialog if the first answer was right.
Knowing just how bad credit files usually are, I was not surprised to find that the addresses they presumably wanted me to say were mine were actually a mixture of former work addresses, or addresses with the right street but wrong city. But how could I be sure? After all, the “clearly wrong” answers weren’t random; they were also variations (same city, etc.) of the “right” answers.
So what was the right answer? I was horrified that I was going to make a mistake and end up wasting 25 minutes of my day. I tried honesty: “that was my work address” but was met by steely determination: “You must say “yes” or “no” to the question, ‘Was that your residence?’”
So, I just want to know WHY? Can’t AT&T trust its own online service – when a customer is coming in through the same computer and same network? If the authentication was good enough to do a credit card transaction, why isn’t it to order a new service?
They are clearly trying hard to please their customers – so why do I feel like screaming?