Skip to content
Navigating the multi-factor authentication marketplace can be overwhelming, so our team broke it down.

What MFA Is Best For Your Call Center?

Choosing the right fit for a contact center's MFA is easier said than done. When it comes to deciding which security solution is worth investing in, there are a multitude of factors that need to be considered: cost, scalability, ease of deployment, and whether or not it meets compliance standards. 

Given that cardholder data is being handled on a daily basis, most BPOs choose to limit mobile phones on the floor – as suggested by PCI SSC – as a security precaution. This makes implementation a challenge when it comes to using modern MFA solutions, as most rely on the user having a mobile device. This presents another often overlooked problem: If a mobile phone is required for security procedures, and an employee does not have a smartphone, the organization would be required to provide one which is costly and unsustainable long term.

While some organizations are willing to take the risk and allow mobile devices on the contact center floor for MFA, it is not PCI DSS compliant. Noncompliance risks a variety of consequences: $500,000 fines, needing to hire PCI DSS auditors which can cost $100,000 a pop, or worst of all, damages to the brand's reputation which can result in a loss of clients.

For years, hard tokens have been the alternative to mobile-centric MFA, but tokens present their own unique challenges. In addition to being a costly investment for the token itself, organizations need to remember that like any other device they can get lost, broken, or have the battery die.  Hard tokens also require a significant time investment.  In an industry with an average 150% annual churn, the time and effort required to order, issue, and reissue tokens can be unsustainable.

Whether hard token or mobile-based, traditional MFA methods all have one thing in common: interruptions. Both require the agent to stop what they are doing each time they complete an MFA challenge. If organizations are following best practices such as 15-minute lockouts, this means agents are interrupted repeatedly throughout the day.  This time can be better spent actually helping customers.

Twosense Passive and Continuous MFA is changing the way that BPOs go about identity security. Designed specifically for call centers, Twosense MFA is a no-phone, software-only multi-factor authentication powered by behavior biometrics.

Organizations can deploy MFA in a contact center environment for a team of 100 for as little as $3600 for the year. Unlike hard tokens, Twosense does not require organizations to assign, reassign, or manage seats or devices. By design, Twosense only counts people actively using the software in the last 30 days reducing significant friction for administrators and reducing wasteful spending. 

MFA Comparison Chart_website-2

Implementing behavioral biometrics such as Twosense Passive MFA or Continuous MFA into contact centers’ identity security postures enables BPOs to do what was previously impossible: deploy MFA everywhere, to every user without increasing user friction or increasing security costs. An added bonus is that since each biometric factor is unique to each user, both Twosense Passive and Continuous MFA are phishing-resistant by design.

To learn more about how Twosense can reduce your security costs, bring your contact center up to compliance, and provide better security, please request your private demo here.

More from the Blog

March 6, 2023

PCI 4.0: MFA For Network Access

The pandemic pushed all businesses that could to a work-from-home model, and contact centers were no exception....
August 1, 2022

MFA Isn’t Enough Anymore

Regardless of the industry, multi-factor authentication is no longer optional. Prior to the broad adoption of MFA,...
May 17, 2022

Zero Trust In BPO Call Center Environments

The Truth About Zero Trust Every industry has a term that is overused and often misused. In the security space, Zero...

Sign Up for our Blog

We will never share your email address with third parties.