= Subscriber content; or subscribe now to access all American Banker content.

What Will Replace the Password?

National Australia Bank fits this use case. In late November, the bank said it would use voice biometrics to allow customers to access bank accounts by using their voices. It's currently using the technology for call centers, but may eventually extend usage to ATMs. Speaking at a media event in Sydney at the end of November, a representative of the bank said the system saves about three minutes on the phone and reduces the fraud threat. Instead of asking for a password or security questions, the technology, which was developed by Telstra, authenticates users by listening to their voice.

And Wells Fargo uses voice authentication in its wire room to spot people who have committed fraud in the past by comparing incoming callers against a database.



The argument for using eyeballs for authentication is their uniqueness and sustainability. The average iris has more than 2,000 unique attributes that don't change during a person's lifetime. It's also a form of biometric security technology that's been widely used for some time.

Government agencies such as the Department of Defense have used iris scans to identify staff at the Pentagon, and Bank of America has used iris scans to identify staff at its Charlotte headquarters. Many DMVs also use iris scans in their drivers' license centers. Inscoe says iris scans are among the most popular forms of biometrics that she hears about when speaking with banks, along with voice prints and facial recognition.



In this method, the fingerprint is supplanted by the entire palm. One of the big advocates of palm print identification is Intel Labs, which is developing a new authentication model around it.

Intel uses palm print software and a biometric sensor embedded in the computing device to identify the user and the device. That in turn opens up access to social media sites as well as other account-based sites such as banks. The argument is the palm is a better mode of authentication because it's more reliable than fingerprints. And in the case of Intel Labs, the palm is read remotely at a short distance, rather than actually coming into contact with the reader.

In an earlier interview with BTN, Sridhar Iyengar, director of security research at Intel Labs, which will work with service providers over the coming years to incorporate sensors into their technology, said making laptops, smartphones and tablets responsible for identification removes the need for websites to perform authentication via password.

Another form of "hand related" biometrics is signature verification, in which a digital signature executed on a pad is measured and compared to a signature stored in a centralized database, using factors such as speed and pressure on the pen. Other, older versions of "hand biometrics" include users placing their hands on an actual reader, which measures the shape of the hand, such as width and length of fingers.



Computing devices themselves can also be "fingerprinted," which aids in authentication.

ThreatMetrics, a device ID company, says there are several ways to "fingerprint" a computing device. Fingerprinting most commonly refers to the measurement of a browser, operating system and connection attributes to generate a risk profile of a device. There are a couple of ways to do this, including installing software on the device or using a remote profiling server. These programs can identify a device by tagging browsers; using HTML, JavaScript or other methods to profile based on screen resolution, browser type, time zone, language and media supported; deploying HTTP fingerprinting that extracts types of compression supported and language; profiling connection information to determine the operating system used to connect to the Internet; and the accumulating information on the type of connection services. In a separate interview in mid-December with BTN's Penny Crosman, Wells Fargo executive vice president Steve Ellis said the bank has built a version of device fingerprinting that uses an IP address and physical location to identify a user.



Most of our interview subjects mentioned the mobile device as the key to biometric adoption and other forms of advanced authentication, as people use biometrics tied to mobile devices to access services - or use the devices to authenticate themselves in another channel. "It's something we're starting to call bring your own ID," says Michael Versace, a research director at IDC Financial Insights. "The bank is going to start to identify people not by their user ID and password, but by your behavior."

In the case of "bring your own ID," the prevailing "something you have/something you know" ID paradigm grows to include "something you are." The three will eventually combine to enable risk-based authentication.

The same mobile technology that's being used for marketing - such as geolocation and transaction history - can also inform risk-based authentication. "We know where a person usually logs in from and what he does - such as check balances, move money or make a bill payment. That behavior defines your ID. What if there's a log in or activity that's different? Your ID is used to create policies directly related to your behavior," Versace says.


(1) Comment



Comments (1)
One point that is missed here is that bio-metrics are just really long passwords. They are convenient because you do not have to remember them but they suffer from all the limits of passwords. For example, if I capture the stream that makes up a fingerprint or iris, I can replay it. This is more of an issue on unsecured networks like the Internet, The Pentagon has a secure network that would make it hard for me to replay the captured stream. So, the real problem is what do you do if your bio-metric signature is compromised? I can change a password, change my iris is not so easy.

I think the best solution is a smart phone application that generates keys that are authenticated by a third party will be the solution for internet authentication. So I go to my banks web site, my smart phone provides the site with a key via blue tooth, and the bank asks a company like Verisign to validate my identity.
Posted by OwlSaver | Tuesday, January 08 2013 at 11:11AM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.