After a fairly short pilot implementation period, which started in May 2017, ANZ went live last week with a Voice ID feature on its Grow by ANZ mobile banking app. Using technology provided by Nuance Communications, the feature allows voice authorizations of fund transfers of more than AU$1000 and BPAY (an electronic bill payment system in Australia) payments of more than AU$10,000.
This implementation is particularly interesting as it uses a server-based voice biometric platform for mobile authentication, instead of on-device, which is the growing trend in mobile biometrics.
On-Device, Hybrid and Remote Architectures for Mobile Biometrics
The proliferation of smartphones with ever-improving on-device capabilities such as touchscreens for typing and swiping, fingerprint-readers (optical, capacitive sensing and, more recently, under-screen), HD cameras, GPS and accelerometers, has driven a range of on-device and hybrid implementations. The FIDO Alliance, a growing industry consortium promoting interoperability among authentications devices, touts a key benefit of strong authentication is the decentralization of sensitive data that is either confined to the device or a hybrid of device and server, with separate encryption keys that are never shared thereby significantly reducing the impact of large scale attacks.
However, on-device architectures do not allow for device interoperability and users have to re-enroll on different devices as well as re-register on new and replacement devices. This is an important consideration as the number of devices per digital user was already at 3.64 over a year ago, according to GlobalWebIndex.
Voice Biometrics Blends Security and Usability, at Scale
Voice Biometrics (VB) is no different to other biometric modalities when it comes to mobile applications, i.e. architectures may be categorized in terms of where processing for voiceprint creation, matching and storage occurs. Opus Research’s recent report “Voice Biometrics Intelliview: Solutions to Optichannel Challenges” summarizes the various offerings and VB vendors across this spectrum.
However, as on-device capabilities improve, there is also a growing case for remote authentication mobile biometrics:
- Recordings using smartphone mics are proprietary to the device or OS (e.g. Apple Touch ID or Samsung Scanner), and therefore limits the service to particular devices and supported apps.
- Even in a multi-layered authentication solution, the breach of one of the on-device biometrics may expose weaknesses in other biometric modalities, especially if the breach is through malware that bypasses the biometrics altogether.
- Back-up or step-up authentication should use random and layered modalities, as well as different channels and processes in order to provide the strongest possible authentication method.
As the volume of mobile commerce transactions continue, so, too, is the need for secure, usable authentication, though this will inevitably lead to increased failures (“false negatives”). When it comes to attacks (“false positives”), one of the most common biometric attack vectors is to bypass the biometric altogether by deliberately failing the authentication, and then being directed to the backup or recovery process. As implemented by ANZ, Voice biometrics, by virtue of being the only scanner-agnostic modality (microphone), is best suited for step-up authentication across channels, including remote authentication in-app, via IVR or even in an agent-assisted conversation.
Categories: Conversational Intelligence, Intelligent Authentication, Articles