E-commerce
June 28, 2026
A customer writes: "Change the address on my order #4521" or "Refund me, defective product". The agent wants to help quickly. But is the requester really the buyer? Without customer authentication, you expose orders, addresses, and refunds to third parties or simple errors.
Authenticating does not mean treating every visitor like a suspect. It means applying the right level of verification based on sensitivity: public info, personal data, or financial action. Shopify recommends risk-based friction: step-up only when the risk increases (Shopify, customer authentication 2026).
This guide #122 covers when to authenticate, 3 practical levels, protocols by request, bots, and UX. It complements support security (#121) with an angle on operational authentication methods before address, refund, or order modification.
Summary
Why authenticate the client before certain responses?
Support client authentication protects buyers and stores before any sensitive action.
Risks without verification
Support fraud: third party with a stolen order number
Recipient error: shared forwarded email
GDPR: unauthorized PII disclosure
Abusive refund: double dip or third-party order
It is not paranoia
Banks authenticate before transfers. E-commerce customer service applies the same logic for address changes or refunds. Real customer authenticated in 30 seconds; fraudster blocked without data access.
Concrete example
Scammer with a publicly forwarded order confirmation. Requests an address change. Store ships to the fraudster. Real customer initiates a chargeback. Misconfigured auth = abandoned ticket; absent auth = fraud.
When should you authenticate, and when can you do without it?
Knowing when to authenticate avoids unnecessary friction and dangerous vulnerabilities.
No auth required
Website return policy, opening hours, pre-purchase product specs, public promo, brand contact, general support response times.
Light auth (level 1)
WISMO, order delivery estimate, tracking link: order # + Shopify email match.
Standard auth (level 2)
Order item details, initiate return, purchase history: email match + factual challenge.
Strong auth (level 3)
Address change, refund, account modification, cancellation, VAT invoice, complete sensitive data.
Agent decision tree
Does the action modify money or delivery? Yes → minimum standard auth. No → public info or level 1. Order > €200 or validated VIP CRM: level +1. Cookie.solutions recommends verification third-parties aligned with the risk of the request (Cookie.solutions, support verification 2025).
What are the 3 levels of support authentication?
Three authentication levels standardize your customer service protocols.
Level 1: email match
Customer provides email + order number. Agent or bot verifies email = order.email in Gorgias sidebar. Case-insensitive. Gmail aliases count if they match the order.
Level 2: email match + challenge
Factual question: shipping zip code, last 3 digits of phone number, billing first name, SKU of first item, total amount (range ± €5). Standard KBA: 2 out of 3 factors.
Level 3: customer account or OTP
Connected Shopify Customer Accounts = implicit auth. Otherwise, 6-digit email OTP expiring in 10 min, max 3 attempts, or magic link on the order status page.
Level × action matrix
Tracking link: level 1
Item details: level 2
Address change: level 2 min, 3 if > €200
Refund: level 2 + manager, 3 if dispute
Account email change: level 3 mandatory
Step-up and failure
Level 1 passed then refund request: step-up to level 2. Two challenge failures: tag auth_failed, polite refusal, contact from original order email only.
What concrete methods can be used on a daily basis?
Five authentication methods cover 99% of Shopify DTC cases.
1. Email match (source of truth)
order.email Gorgias sidebar. Different PayPal buyer email? Check both in order notes.
2. Challenge questions
Postal code = most reliable. Avoid exact cent amounts or overly difficult questions.
3. Shopify customer account
New Customer Accounts: client logged in widget = authenticated badge. Agent sees linked customer ID. Passwordless OTP login on the account side reduces credential attack surface (Shopify, fraud management 2026).
4. Email OTP and magic link
6-digit code sent to the order email. "Manage my order" link proves access to the mailbox.
5. Last resort manager
Last 4 digits of the credit card + proof of purchase if client cannot find email. Never use order number alone, name alone, IP, or unverified caller ID.
See Shopify integration.
Which protocols should be applied for each type of request?
Challenge-response authentication protocols to document in the playbook.
WISMO
Ask for order # + email
Verify Shopify match
If OK: status + carrier tracking link
If fail: explain security, no info
Address change
Verify unfulfilled status
Order # + email match + zip code challenge
Confirm new address in writing
Modify Shopify, confirm to customer
If shipped: refuse, carrier redirect options
Refund
Order # + email match + 2 challenges
Verify return/timeframe policy, no refund already processed
Manager approval if > threshold or exception
Refund from Shopify sidebar, confirmation email
Special cases
Gift: original buyer only can modify before delivery. Recharge Subscription: level 2 authentication minimum. Gift card refund: level 3 + manager. Reset password: official Shopify flow only.
How should authentication be adapted to each channel?
Multi-channel authentication must remain consistent across email, chat, phone, and social.
Inbound Email
Verify From: vs order.email. If different: reply "contact from order email" or initiate a challenge. From: spoofing is possible: challenge even if there is a visual match.
Chat widget
Bot collects order # + email before giving info. Pre-fill if customer is logged in. Session auth is valid for 30 min.
Phone
Caller ID is unreliable. Same protocol: order # + email + verbal challenge. Callback the number on the order if there is a match.
Instagram / WhatsApp DM
Channel is unverified by default. Public info is OK. Sensitive actions: redirect to order email or customer account. Amazon Marketplace: auth via the platform, not a separate email.
How do I integrate authentication into the AI bot?
The AI bot must verify before any order disclosure. Sequential numbers are guessable: match owner email before responding, never rely on model judgment alone (Nylas, order-status agent 2026).
Standard bot flow
Order question → ask for order # + email
Shopify API verify match
If OK: respond with authorized intent
If fail: security message + magic link option
Sensitive action: handoff to tier 2 agent
Auth-aware intents
track_order tier 1 post-verify. order_details tier 2. address_change and refund_request: agent only. account_access: Shopify magic link. Rate limit 5 attempts/order #/hour.
Forbidden for bot without verify
Full address, phone number, refund amount processed, full purchase history.
How do you authenticate without frustrating the real customer?
UX authentication protects without creating suspicion.
5 principles
Explain why: protect your order
Minimum necessary: no over-auth for simple WISMO
Once per session: auth valid for 30 min chat
Clear alternative: order email or customer account
Empathetic tone: no accusation
Macro AUTH-EXPLAIN
“In order to protect your information and your order, we need to verify that you are the buyer. Confirm the email address used and [challenge]. This will only take a moment.”
Dissatisfied or blocked customer
Escalate to team lead, do not give in without verification. Customer cannot find email: check spam, typo, reset customer account. Mobile: numeric keypad for postal code. Accessibility: OTP by email if reading is difficult.
How to train agents and deploy AUTH-* macros?
The authentication training transforms the protocol into an agent reflex.
AUTH-* Macro Library
AUTH-EXPLAIN: why verify
AUTH-REQUEST: order # + email
AUTH-CHALLENGE: zip code or SKU
AUTH-FAIL: polite refusal mismatch
AUTH-OTP: send code
AUTH-ESCALATE: manager handoff
45-min Training Module
Level matrix, Gorgias sidebar demo, roleplay address change fraud, roleplay rushed customer, 8-scenario quiz.
Common Mistakes
Skipping auth if voice sounds familiar. Accepting typo emails (john@gmail vs johnn@gmail). Disclosing info before verifying. Challenge too difficult. Failure to document. 30-day probation: zero solo refunds without supervisor co-sign.
See DTC playbook (#118).
How do you document, tag, and audit compliance?
Without auth documentation, it is impossible to prove compliance in a dispute or chargeback.
Gorgias Tags
auth_passed, auth_failed, auth_bypass_vip (pre-validated CRM), auth_escalated, sensitive_action.
Mandatory Log
Ticket note: auth method, challenge used, agent, timestamp. Monthly audit sample of 20 sensitive_actions: 100% documented auth.
Auth KPIs
Auth fail rate: fraudulent attempts
CSAT auth segment: measured friction
Time to auth: target < 60 sec chat
Sensitive compliance: 100% logged
GDPR
Auth = legitimate interest in data protection. Logs retained for 12 months min if fraud investigation is active. Chargeback defense pack includes proof of legitimate buyer auth.
How does Qstomy automate customer authentication?
Qstomy integrates customer authentication without unnecessary friction.
Features
Order email verify: real-time Shopify matching
Challenge flow: configurable postal code
30 min session: no repeat requests on the same chat
Sensitive block: automatic refund/address handoff
Rate limit: anti brute-force order #
Audit log: compliance export
Encrypted DTC Scenario
Store with 600 tickets/month. Before protocol: 1 fraudulent address change/quarter. After Qstomy verify + challenge bot: 12 auth_failed/month blocked, zero incidents, auth segment CSAT 4.5, time to auth 25 sec average.
7-Day Setup
Activate verify email intents
Configure postal code challenge
Block sensitive actions bot
Sync Gorgias auth_passed tags
Train agents on AUTH module
Test 10 simulated scenarios
Explore AI support, Shopify, request a demo. See chatbot GDPR.
Which operational playbooks should be deployed this week?
Playbook 1: Action × Auth Level Matrix
Write a 1-page Notion article section 3. Sticky notes on agents' desks. Timeframe: 2 hrs.
Playbook 2: Audit of 15 Sensitive Tickets
Export refunds + address changes from last 30 days. Is auth documented on 100% of cases? List discrepancies. Timeframe: 2 hrs.
Playbook 3: Gorgias AUTH-* Macros
Publish EXPLAIN, REQUEST, CHALLENGE, FAIL. Link the playbook. Timeframe: 1 hr.
Playbook 4: Bot Hardening
Verify email before WISMO, block refund/address changes, rate limit 5/hr/order #, handoff flag security_review. Timeframe: 1 day.
Playbook 5: 45-Min Agent Training
Sidebar demo, 2 roleplays, 8-scenario quiz. Certification required before handling sensitive tickets solo. Timeframe: 1 session.
Useful Links
Authenticating means respecting the genuine customer by protecting their order. Done right, authentication remains invisible to 99% of legitimate buyers.

Enzo
June 28, 2026





