Octocom
  • Explainers
    • Self Setup
    • Guided Onboarding
    • Third Party Help Desk
  • Security
    • Security Overview
    • AI Reliability
    • AI Security
    • Customer Authentication
    • Security Controls
    • Subprocessors
  • SHOPIFY
    • Chat Widget Tutorial
    • Chat Embed Tutorial
  • WOOCOMMERCE
    • Getting Started
    • Chat Widget Tutorial
  • BIGCOMMERCE
    • Installation
Powered by GitBook
On this page
  1. Security

Customer Authentication

How to safely authenticate customers

Different communication channels present us with different opportunities to authenticate customers. This article outlines the standard approaches for each communication channel.

Web Chat

The following authentication methods can be used to authenticate customers in web chat:

  • Customer provides an order ID – For most smaller stores, this approach can be sufficient; however, it does not actually prove that the customer making the request is the one who made the purchase. If a user has the order ID, they can access all information about the order and modify it as they wish. If order IDs are predictable or easy to guess, this method of authentication is unacceptable. However, if order IDs are difficult to predict and the store wishes to minimize friction for customers, this can be a valid approach.

  • Customer provides an order ID + a second piece of information – This is an improvement over the previous approach, as it requires the customer to provide additional information about the order, reducing the risk of guessing attacks. An example would be order ID + full name. This method is sufficiently secure for the majority of e-commerce stores.

  • Customer provides an email or order ID, and Octocom sends a confirmation link to the email – This approach is highly secure but can be cumbersome for customers. It ensures that the buyer has control over the email used for the purchase.

  • Using the website's authentication mechanism – If the website has a login system, the chatbot can be integrated with it for authentication. Additionally, if a member portal exists, the web chat widget can be placed behind protected pages, allowing authentication without requiring additional JavaScript integrations.

Email

If the received email passes SPF, DKIM, and DMARC checks, we can be certain that the sender has control over the account. If the order is associated with this email, the customer is automatically authenticated without any further complications.

If the email is not associated with any orders (e.g., the customer is using an alternative email), then the same methods described in the Web Chat section can be used (excluding website authentication for obvious reasons).

Social Media

Since social media accounts are almost never linked to an order, they cannot be used as an authentication mechanism.

For social media, the same approaches as those used in Web Chat can be applied (excluding website authentication for obvious reasons).

Mobile Apps

The simplest and safest approach for mobile apps is to use the app's authentication mechanism. Since the app is responsible for rendering the chat interface, it also controls authentication.

If the app does not have user authentication or if using it is infeasible, the same methods as those in Web Chat can be used.

Review Platforms

For review platforms such as Trustpilot or Google Reviews, authentication is not applicable, as no sensitive operations are performed—responses are publicly visible.

PreviousAI SecurityNextSecurity Controls

Last updated 2 months ago