The coming year will be "the year of voice biometrics" for authenticating bank customers, according to Al Pascual, security, risk and fraud analyst at Javelin Strategy & Research. "Consumers love biometrics," he says. Even though Javelin's latest consumer research on security, released last week, showed that only 11% of Americans have any experience with biometrics, those 11% give voice biometrics the highest marks of any authentication technology.

"The old ways of authenticating — primarily passwords — don’t have the allure or the trust of the public any more," Pascual says. "People are ready for something new." Voice biometrics lends itself to authenticating the consumer in online and mobile banking for a few reasons. The first is that it’s relatively inexpensive. It can be done in software, over a home phone, through a voice over IP connection, or through a wireless connection. "It's just a processor running a computer algorithm based on the voice print they have on file determining whether or not you're you," Pascual explains. "There's no new hardware, it's just space on a server or on your phone."

The voice biometrics software that runs on a smartphone will naturally be lower-test than a solution that runs in a bank's data center on racks of servers. "There are a lot of compromises that need to be made as far as the complexity of the algorithm that determines whether or not the voice matches," Pascual acknowledges. "Something that runs on your iPhone 4S is not going to be as strong as something that's rendered locally. That doesn't mean it's not useful."

Banks will end up making security decisions along these lines, Pascual believes. A funds transfer between a customer's own accounts or a balance check might be secured with a simple voice check on the phone itself. "If I'm going to wire $250,000 outside the country, you're going to want to have that running with a lot of processing power behind it to make sure there are no false positives."

There can be false positives with voice biometrics. But with strong voice biometric solutions, an impersonator would have to have the exact same voice print, including tone, timbre and cadence. "You'll have to be able to sound like me 100% of the time to beat the more complex systems," Pascual asserts. "It's not an easy thing to defeat in most cases."

In the Javelin survey, seven out of ten consumers said they would be interested in using biometric authentication. Half said they were interested in using fingerprints; Pascual believes this might be because most people are familiar with fingerprints. "The problem with fingerprints is that in most instances, the bank will need to provide supplemental hardware to the consumer to use in the online or mobile environment. In the mobile environment, no one will want to hook a dongle to their phone to use a fingerprint scanner." Where fingerprint scanners do make sense, he argues, is for high-net-worth business customers; there the cost of a $100 fingerprint reader is well worth it.
Banks have started asking seriously about biometric solutions, Pascual reports. "This year we’ll see voice in wide-scale deployment," he says.

Facial recognition is another possible authentication mechanism for mobile banking, Pascual notes, but it's an outlier. Security experts have shown that you could take a photo of someone and put it in front of the phone to unlock it. "That's something the security vendors are trying to work around," he says. "They’re looking at things like video rather than just still photos, a range of human motion, rather than someone absolutely still."

What's held biometrics back in banking to date, in Pascual's view, is lack of regulatory approval. "The recent FFIEC guidance gives biometrics a one-line mention," he points out. "They talked about everything else in the world, but biometrics got one line — there are biometrics. If regulators aren’t going to give a thumbs up, then when it comes time for inspection, when it comes time to say explain in court how someone broke into an account, the regulators are going to say, it’s not a strong solution, why are you using it? If it comes from regulators' mouths, then they're more likely to stand behind it."