How to use CAPTCHA in a conversational interface?

In today's digital world, robust authentication mechanisms are an absolute necessity. With the increase in cybercrime, it is essential to protect personal and sensitive information. As stated in the last OWASP 2023 Top 10 Vulnerabilities report, authentication mechanisms are the first line of defence against unauthorized access to online accounts. Furthermore, the new ISO 27001:2022 certification standard dedicates specific controls and clauses to ensure secure authentication procedures.

A robust authentication mechanism is the key to unlocking a great number of self-services. For example, making financial operations, changing insurance policy details or consulting medical test results are operations that individuals can perform online if they pass a strong authentication screening.

However, there are situations where robust authentication mechanisms are not possible. This is the case of quote&buy journeys, where customers are not registered and identified apriori, but also when agents and advisers are about to request some actions on behalf of their clients.

In such cases, the list of self-serve services experiments a physiological reduction because some critical actions won’t be accessible to an unidentified user. Reducing the risk of robots and Denial of Services attacks is also important by using additional security measures like CAPTCHA codes and other techniques.

CAPTCHAs, in particular, are a popular security measure used to prevent automated attacks by requiring users to prove they are human and they nicely fit conversational interfaces. A handy-style text over a noisy background is generated and displayed to the user as an image. Automated Optical Character Recognition (OCR) detectors won’t be able to easily guess the keyword by reading the image.

The main three requirements for a good CAPTCHA code generator are:

All Posts

Access to your own SQL database

2 min read

In this technical blog, we explore how accessing databases can unlock the next level of automation of conversational processes built on the Spixii CPA platform. Gaining access to databases should not be taken for granted, as it requires a robust security framework which, if missing, requires heavy support for the software provider, which can not only involve large costs but, most importantly, slows down continuous improvement and innovation.



One might argue that SaaS platforms often lack transparency.

They are like backboxes, hard to configure and protected by several layers of IP and secretness. In particular, it's barely possible for users to get access to the central SQL Relational Database Management System (RDBMS) of the SaaS platform: software suppliers rarely allow direct access to the RDBMS for security constraints (and sometimes to avoid the client seeing some low quality and inaccurate database objects, which might carry unpleasant surprises).

At Spixii we always believe that true automation demands transparency and clarity throughout all steps of any process, especially in regulated industries like finance and insurance. For this reason, we had no concern about exposing directly to our customers the Python source code of their conversational processes in the Function Manager module.

This is great, but not enough.

We created a segregated database for each client but, until today, it was hidden behind some access layer, which is not familiar outside of the Spixii developers' team. It's known that many software companies take advantage of the structural inaccessibility of their RDBMS to ask their clients for more applications and more maintenance tasks: this increases the cost of the solution drastically and pulverizes the number of tools used by the operation team of the client, generating inefficiency and constant frustration.

You can use ORM objects or native SQL queries

For our Advanced and Premium clients, we now offer direct access to their RDBMS with the versatile and enterprise-designed Python framework SQLAlchemy.


SQLAlchemy is an Object-Relation Mapping (ORM) that allows your script built on the Function Manager to access and manipulate database tables directly with Python objects.

For example, it's possible to retrieve all the variables collected in your process, like name, surname, policy id, etc ... with the following code fragment:


But the native SQL language is also available: a simple SQL query can be executed and the result fetched and manipulated.

For instance, the same result of the previous example can be obtained with the following SQL query:


Why is it so important?

Given the total control of data on the database through Python ORM objects or native SQL queries, it's possible to expand further the automation power of the Spixii CPA platform. In particular, in the Function Manager of the Spixii CPA platform, a user can:

  • Manipulate any accessible table of the database using Python objects or SQL queries
  • Look up data from other conversations belonging to your organization, which is particularly useful for identifying optimal paths
  • Fetch advanced statistics generated in real-time by our Data Model and make decisions based on them, including customer's psychometric and behavioural insights
  • Define custom database objects and tables accessible only within your organization and more

The following examples should give a better understanding.

Example 1 - Improve the UX on recurring users

Let's consider a typical claim FNOL (First Notification of Loss) journey, starting with the authentication of the policyholder who is about to notify of a crack on his mobile screen. Unfortunately, the phone has been left at home, and the policyholder can't submit any picture of the broken screen. Therefore the conversation is dropped, and no notification is sent to the insurer.

Once back home, the policyholder restarts the chat: once authenticated, the conversational process can be instructed in the Function Manager to look up the previous conversations and recognise if the user is a recurring one. If so, replies already given can be retrieved without asking them again, and the process can proceed from the last unanswered question.

Example 2 - Real-time AI best decision

A quote & buy journey chooses randomly between two conversational paths: they have different wording, but both capture the same variables and bring new customers to buy the same insurance product.

The SQLAlchemy functionality can be used to count the number of customers that eventually bought the product split by the chosen path and then automatically redirect the new incoming conversations to the most performant path.

In other words, the conversational process learns from past conversations and automatically takes the optimal decision to maximize the result.

How we can do it in a secure way?

As mentioned in the introduction, exposing the database to the client requires a deep understanding of the security implications and performance constraints that might be impacted by many queries running simultaneously.

For this, we leverage the combination of two enterprise reliable frameworks:

  • Oracle Virtual Private Database (OVPD)
    OVPD enables the creation of security policies to control database access at the row and column level. OVPD adds a dynamic WHERE clause to a SQL statement issued against tables, views, synonyms, or any other database object.

    OVPD enforces security directly on the database level, which means that any application or user can't bypass security policies. Also, it guarantees data segregation on multiple instances of the platform.

  • Fine-grained Access Control (F.G.A.C.)
    F.G.A.C. is a sophisticated paradigm for deploying transparent security policies on tables, views, synonymous and other objects, which the database will use to "rewrite" the predicate of the submitted query. It is a scalable and reliable mechanism for implementing security straight at the database layer and requires no change to the applications, APIs, web tools and other products that depend on the database.


As we can see, accessing the database takes the flexibility of the conversational process to the ultimate level.

Developers, business analysts and operation departments can now access their database straight without dealing with wraps of software layers. And business managers can allocate their budget to improve the services instead of wasting it on more applications.

Let's start your journey on the Spixii CPA platform with your first 14 days free trial now!

Recent Posts

How to use CAPTCHA in a conversational interface?

In today's digital world, robust authentication mechanisms are an absolute necessity. With the increase in cybercrime, it is essential to protect pers...

Read more

The sweet spot between smooth operations and customer experience

3 min read Gone are the days of interactions where customers and businesses would have to come face-to-face for a transaction. Thanks to the mighty po...

Read more

How can customer service operations save money?

5 min read Efficient and effective customer service operations can significantly impact a company's finances. By providing customers with prompt and a...

Read more

What are the 3 steps to reduce the stress experienced by customer service consultants?

5 min read As a customer service consultant, many factors can cause stress and anxiety in the workplace. One of the biggest causes of stress is dealin...

Read more
2024 Spixii WP - How to deliver expert customer service immediately, consistently and around the clock

Download your FREE Spixii White Paper copy

Discover how to deliver expert customer service immediately, consistently and around the clock:
  • Key KPIs that make or break
  • Making compliance teams happy
  • De-risking the transition to automation