It's a user's face. Her voice. It's fraud scoring. It's location.
In a future devoid of user names and passwords, banks will have to concentrate on a series of different mechanisms in order to better fight cyber crooks.
"The voice alongside location, combined with any risk [engine] that you might use to find fraud, and create a score based on that," says Todd Hawkins, a client relationship executive at information technology company CSC. "It's layered, we can see now that you can use different [methods] for different scenarios of fraud analytics."
Hawkins took part in a panel this week at the CEB TowerGroup conference in Boston focused on fighting fraud. Speakers from FIS, RSA and NICE Actimize took part in the discussion.
He adds that mobile devices, such as cell phones and tablets, will soon become mechanisms to secure all sorts of transactions and core system processes.
"When you go out of band with creative technologies, you can create a nice, seamless experience," says Hawkins. "That's going to start defeating the fraud that's out there."
For instance, he says, a system that might use a person's voice — speaking a randomized pin number, or a word on a smartphone screen — could be unique enough to frustrate cyber thieves.
Hawkins plugs his own company's product, ConfidentID Mobile, a system that uses multi-factor authentication in order to determine that the right person is getting access to information.
Still, onboarding those customers is the biggest challenge of advanced authentication techniques, says Joram Borenstein, a senior director of product marketing at NICE Actimize.
"I think on the biometrics front, increasingly that's becoming less of a science problem," he says. "What you are seeing is a desire to make the initial enrollment passive and painless for the end users."
Until that issue is overcome, Borenstein says, bankers will be hard pressed to deploy biometrics in anything other than a pilot.
Hawkins says he believes, however, that next-level authentication technology being rolled out to the masses "is very close. When you start opening up the opportunities to use Facebook to get into [online banking], you have your security guys just jumping off the roof. But the business guys love it. So you have to find the technologies in the middle to allow customers to [use] Facebook [banking]. The technologies are there."
Sean Sposito is at the CEB TowerGroup conference this week. Follow him on Twitter at @SeanSposito, or the conference in general with the hashtag, #CEBTG13
What if passwords were never stored anywhere except in the user's head and were never transmitted anywhere but could still be used to perform an authentication? Getting rid of the transmission removes the possibility of intercept; getting rid of them being stored anywhere eliminates the opportunity to hack a server and steal them.
This solution is not possible you might say. Well, it is possible and I have seen it in action and it is really clever. In my opinion, the user experience is better than it is now and doesn't require any investment in extra hardware, or an extra device or a change in user behaviour. Would this not be a better way to go before spending a load of money on new hardware?