Speech Technology Magazine

 

The Perils of PIN Proliferation

Why is secure identification so difficult?
By Susan L. Hura - Posted Aug 12, 2013
Page1 of 1
Bookmark and Share

Consider the following scenario: You need cash, so you go to the ATM and make a withdrawal (your PIN is 1234). That afternoon, you realize you forgot to see if the new automated payment you set up was actually deducted, so you call the bank by phone IVR system (another PIN—this time it's 0987). When you get home, you find a check waiting, so you pull out your mobile phone and log in to the bank's mobile app to deposit the check (this PIN needs to be alphanumeric, so you chose alpha5678). Three routine requests of the same institution, for the same account, made by the same person, yet each required a separate identification process. How did we get here?

Consumers have become increasingly aware of the importance of information security, but the status quo of multiple PINs is clearly not supportable over the long term. Organizations, especially those offering multiple self-service channels, face a confluence of factors that are forcing them to rethink how they identify and authenticate users of self-service.

Identifying customers has been a challenge since the start of automated self-service. Obviously, a system needs to know who the customer is to locate the appropriate account. Once customers have been identified, we are able to use information in the customer record to proactively provide more personalized interactions, like informing them of new activity in their account, confirming receipt of information they submitted, or updating them on status changes. Managing the identification process is vital in building customers' trust. If they feel that their personal information is being protected by a system, they may be more willing to use it in lieu of speaking with a customer service representative.

More onerous identification methods, such as long account or ID numbers, used to be more common, but customers didn't have them memorized, and they were difficult for callers to input and for systems to recognize. For a time, automatic number identification (ANI) was held out as a simpler method of identifying customers, but ANI may not be consistently available, and databases of customer phone numbers are difficult to maintain. Organizations frequently request personal information such as Social Security number, date of birth, or mother's maiden name, but customers are sometimes hesitant to provide such information in an automated transaction, even if they provided it when they set up their account. Organizations turned to using the last four digits of a customer's Social Security number when regulations restricted the use of the full number, but this still raises concerns and may not uniquely identify the customer.

Personal identification numbers seemed like a possible solution, but as the previous example demonstrates, we have reached a breaking point in the number of PINs we can tolerate. The sheer number of PINs customers are expected to remember creates a situation in which people use techniques (such as maintaining a spreadsheet of PINs or writing their PIN on their ATM card) that defeat the whole purpose of secure identification. PINs also present a maintenance problem for organizations in which PIN reset and change can be a significant drain on customer service. Voice biometrics is today's silver bullet to solving the identification problem, and its benefits can be tremendous, but public opinion of "voice prints" is still evolving and may affect the reach of voice biometric technology.

The customer self-service industry is on the brink of big changes, but it's not clear what the future will be. We face many questions about the benefits and limitations of various methods of identifying and authenticating customers, and determining which methods are best suited for use in telephony, mobile, and Web platforms. How important is multifactor authentication? Is "single sign-on" across channels possible or desirable? What is the role of voice biometrics? Which contexts benefit most from voice biometrics? How does ubiquitous mobile phone use change the picture for identifying and authenticating users? How can new sources of contextual information available on mobile phones such as GPS location or deviceID be leveraged for identification? These questions are among the topics of discussion at the annual workshop of the Association of Voice Interaction Design in New York. Visit www.avixd.org in the coming months to read workshop papers on the current and future challenges of customer identification.


Susan Hura, Ph.D., is a principal and founder of Speech Usability, a VUI design consulting firm. She can be reached at susan@speechusability.com.


Page1 of 1