The Financial Services Technology Consortium, a group of technology executives with representatives from Citigroup, Wells Fargo, JPMorgan Chase, among others, has launched a research initiative to study various biometric technologies and how they could be used to discourage fraudsters’ efforts at identity theft or account take-over. While a number of banks around the world are already trialing or piloting biometric-based authentication for both online and call center-based access, as evident from this report in SearchFinancialSecurity.com, adoption and deployment has been plagued by a lack of understanding.

FSTC’s Executive Director Dan Schutzer acknowledges the whole topic of where biometrics fit into user authentication is “a fairly complex subject.” He mentions that banks would be sharing information comparing various biometric approaches, use cases, and best practices. According to the report “the initiative will also explore the possibility of a shared database with biometric data of known fraudsters, which could help financial institutions prevent both insider and external fraud. While this sort of “black list” is one of the more rudimentary approaches to fraud detection, it is a step in the right direction in terms of defining ways that financial institutions can share infrastructure and make biometric authentication more affordable and commonplace.

That said, I was discouraged to read that an analyst from the Burton Group, one of the most respected firms in the network security domain, characterized biometric security as “simply a non-starter in the retail online banking space,” adding that “customers absolutely refuse to use a hardware-based authentication solution.” I couldn’t disagree more. For one thing, voice biometrics don’t require customers to carry additional hardware, and we’ve seen voice biometrics used in conjunction with online banking through the use of an outbound telephone call to capture a password or voiceprint.

More importantly, a number of customer authentication strategies already treat mobile devices as if they were tokens for one-time passwords (OTPs) by transmitting a unique series of digits via text messaging to support remote access either through the telephone or an desktop computer. Banking, like most other e-commerce and Internet-based activity in general, is steadily becoming mobile. As it does, the types of activities that will take place over mobile phones is broadening significantly. Adding a voice biometric to other factors (such as a PIN or secure SIM card) will provide the basis for inexpensive, accurate user authentication. As frequent users become more security conscious, the use of a “spoken token” can give users more confidence in using mobile channels to carry out more of their online activities.

Categories: Articles