Can You Authenticate Me Now?
Bank Technology News | January, 2010
|
Print
Email
Reprints
FeedbackIdentification protection firms drew attention to themselves last week, as multi-factor authentication company PhoneFactor launched a “triple authentication” product that uses the sound of a consumer’s voice for phone verification; and MasterCard announced a deal with Arcot that expands its Chip Authentication Program and provides users with an app that can run on mobile phones.
PhoneFactor is making biometric verification for phone-based authentication available to banks, government agencies, healthcare firms and other businesses. Users execute a transaction online, then are called by the institution if that transaction is considered high risk based on the institution’s policies— similar to many dual authentication techniques. Only in this case, the voice also serves as a third way to identify the consumer. “With two factor, we refer to what you have and what you know,” says Steve Dispensa, CTO of PhoneFactor. “With biometrics, it’s also what you are. In this case it’s your voice.”
Users receive a call when logging in, and speak their “pass phrase” to complete log in. Risky transactions are protected by Phone Factor’s voice mapping model, which uses voiceprint algorithms to verify the voice of the person who’s contacted by the institution. The authentication call is out of band, which is designed to protect from man-in-the-middle attacks and keystroke loggers.
PhoneFactor hopes the threat of data theft and regulatory pressure to deploy “strong” authentication will spur adoption of voice biometrics. Other voice biometric providers include firms like Diaphonics, whose clients include Banco Santander International; Authentify; and Persay, whose clients include Bank Leumi.
While biometric identification has been around for a long time, businesses have been reluctant to adopt the technology to verify consumers because of the perceived intrusiveness and the expense of deployment. And as of late last week, PhoneFactor had yet to sign up any clients, though the product has just been made available and Dispensa says the firm is in talks with potential clients.
Dispensa says the cost is contained since PhoneFactor hosts the system —there are no tokens or biometric readers to buy, deploy and support, as there are with other biometric security systems such as retinal scans or fingerprint readers. He also says it requires minimal extra effort on behalf of users. “They’re already getting a phone call and hearing transaction details. But instead of typing a PIN into the phone, they are using their voice.”
Another fraud prevention firm, Arcot unveiled a deal in which MasterCard will use ArcotOTP to expand the devices available for MasterCard Chip Authentication Program (CAP) authentication, as well as providing users with an application that runs on mobile phones.
Making EMV (Europay, MasterCard and Visa standardized) authentication available on mobile phones eliminates the need for cardholders to carry an extra hardware device to authenticate e-banking transactions. Mobile phones can be used in place of card readers to generate single-use passwords.
MasterCard’s allows cardholders to authenticate themselves using their existing EMV banking cards and a personal card reader, or the ArcotOTP mobile app issued by banks. CAP allows part of the transaction data to be included in the generation of the password, resulting in a unique signature for each cardholder transaction, which can help prevent man-in-the-middle attacks.
| More articles in Bank Technology News |
| Subscribe to Bank Technology News |
