Authentication - The First A in the Triple AAA’s of Security [series]

In this series of articles, I want to discuss security best practices for your contact center: the triple A’s of security--Authentication, Authorization and Accountability. inContact can be a part of your security strategy, and the first article will discuss best practices for user authentication of agents and supervisors in your contact center.

Authentication is the process or processes by which the identity of an individual is verified.  Identification of an individual actually begins during the hiring process.  When looking at risk mitigation, verification of name and address are just the beginning. Employers commonly mitigate risk by hiring persons who are legal residents and whose background and history indicate reliability and capability. Common risk mitigating actions include  E-verify, background checks, drug testing, credit checks, and even the assessment of the candidate by searching social sites such as Facebook, LinkedIn and Twitter.

Risk mitigation steps should be commensurate with the types of data and services that an individual will have access to in the call center. When granting access to company systems,  one of the most common means of identification is through userIDs and passwords. Access management should begin with a documented password policy. Not only is having a written police a best practice, but it is imperative in many industries with regulatory and compliance requirements. An access or password policy should define password best practices such as the following;

  • Each user should have a unique userid.  Generic or shared userids and passwords should be strictly forbidden.
  • Minimum password complexity

    • Requiring at least 7 characters
    • Requiring a variety of characters including upper and lower case letters, numbers and symbols
    • Disallowing the re-use of passwords
    • Disallowing simple passwords that may be easy to guess (P@ssword or P123456)

  • Passwords that expire (60 or 90 days is common)
  • Initial first time use requiring users to change their password the first time they login
  • Having first time or initial use passwords expire – if the user does not login with 72 hours, the first time password will be deactivated
  • Password lockout after a specified number of consecutive failed attempts
  • Security awareness training to educate users to the risks of poor password management by storing passwords in text files, on sticky notes or on sheets beneath their keyboards

    • A best practice to facilitate secure password management is to us a password keeper utility to encrypt and securely store a users passwords.  There are many free versions available.

  • Using a process that documents all userid creation and that requires confirmation by a second party.  For example, requiring the creation of a ticket, specifying for whom and for what purpose access is being given and then requiring that the ticket be approved by the appropriate data owner.
  • Sending notification to a user each time his password is changed, thus allowing the user to be aware of possible unauthorized changes to their account

The inContact ACD solution provides the tools necessary to create and enforce these best practice password controls. Managers are able to create custom password policies within the inContact ACD platform. The user login password policies are found under the ‘Manage’ section of IC Central and allow companies to meet their compliance and regulatory requirements around password complexity and management. The password policy tool even measures and reports the strength of each password policy. Finally, inContact allows the manager to create a description for each security policy and to identify the users to which that security policy has been applied.

The next article in this series will identify Best Practices for Authorization of users to ensure that users have only the rights, functions and access that are appropriate to their job function.