It’s story time! Around 2007 I had a task to enforce that agents in a contact center receive their supervisor approval before submitting a form, preferably before they spent several minutes filling it out. I’ll explain.
If it had been a paper form, we’d just keep the stack at the supervisor’s desk so that anyone that came to get one could at least ostensibly obtain permission from the supervisor before filling it out. (Editors note: several paragraphs of exposition on why such permission was needed has been cut for time.)
But we were a paperless office, and these escalations were sent electronically anyway so paper already wasn’t going to fit. But how do you enforce that someone speak to their supervisor before they use a form, and without just passing that data entry work to the supervisor by gatekeeping the form entirely?
Roll your own OTP
I created a simple SharePoint form, and any record added there would be queued into the list for additional review and sent to our client for investigation upon final approval. But how do we absolutely ensure that the form cannot be used without permission? We put an OTP on it.
Put in a valid code, get sent to the form. Any invalid or old code wouldn’t work.
Instead of the typical NewForm.aspx showing the fields, the agent would instead first see a dialog box prompting for an authorization code, a code that only certain other users could generate.
The supervisors were the only ones with access to view the page that generated the code, embedded into the header of the same page that listed all received submissions from the form. This code was ever-changing, and quickly. I can’t recall exactly how fast, I think an early version changed the code every millisecond, but I think I eventually slowed it considerably to about 4x per second. Whatever it was, it was certainly too fast to view by eye. Here’s a still frame of it.
Because we were a paperless office, it was highly discouraged to write down anything – even a temporary code like this – on paper. So in addition to changing quickly, the code was also lengthy. By design, it was necessary to copy/paste this code from manager to agent using our internal chat system, not in-person. This also enforced the very encouraged behavior to work with your supervisor via chat and not go stand in line at the help desk, which always had a physical queue.
- The supervisor could press “copy” at any moment to copy the current code. It really didn’t need to be visible to them at all and initially it was just a button, but seeing the code change 10x per second was neat (to me).
- Each code is only good for 5 minutes. After that, it won’t unlock the agent form anymore and they’ll need fresh permission code.
The code generator and decoder on the agent side were two insanely short javascript files and were built almost entirely around converting the current time to another encoding (probably hexadecimal), possibly reversing the string as well. When the agent pasted the permission code, the javascript on their page reversed the text string, converted it back to binary and then to a datetime, and checked if that datetime was less than 5 minutes ago. If so, you pass and get to proceed.
