U.S. Bank Pushes Voice Biometrics to Replace Clunky Passwords
U.S. Bank (USB) employees are piloting software that will, if all goes well, be used to let customers access their credit card accounts on a mobile device by speaking a few words into their phone.February 12
App development for multiple mobile devices and countries is also on the agenda for the bank's wholesale banking division.December 12
When U.S. Bank announced Wednesday that it's testing voice biometrics for possible use by customers to access account information, it joined a line of banks that have been testing this technology, including Wells Fargo (WF) and Barclays.
Voice biometric software users log in to an application or website by speaking a word or phrase. That word or phrase is compared to a previous recording the customer has made, to verify it's the same user.
Many industry observers have been saying for at least a year that the password is dead and more secure alternatives to authentication, such as voice biometrics and iris scans are needed to verify a user's identity when banking online or via a mobile device. (Other alternatives are being floated as well, such as HSBC's decision this week to issue tokens to U.S. customers to access their online banking accounts.) Some press accounts Wednesday stated that the goal for U.S. Bank's pilot is to improve customer data security.
However, executives at U.S. Bank, a unit of U.S. Bancorp (USB), and Nuance Communications, its Burlington, Mass.-based vendor, say that the main benefit of biometric software is ease of use, rather than enhanced security.
The software replaces the need to enter a password on a mobile device, which can be a clunky experience, they say.
"Long, secure passwords that include upper- and lowercase [characters], numbers and symbols are one thing on a computer keyboard and an entirely different thing on a mobile device keyboard," points out Dominic Venturo, the chief innovation officer for U.S. Bank Payment Services.
When U.S. Bank originally launched mobile banking, it required customers to log in with a four-digit personal identification number. To strengthen security, it eliminated the four-digit PIN and switched to long passwords.
"The No. 1 feedback item we get from customers is, this long password is difficult to enter," Venturo says. "Being able to replace this with voice biometrics is the opportunity to really improve the customer experience and solve a pain point."
Venturo would not reveal details about the pilot, other than to say that it's widespread. "We want to use a big enough sample size that the results are useful and help us prove out the technology, so that puts us into the hundreds, if not thousands [of employee testers]," he says.
In its tests, the bank is closely watching the success rate of the Nuance voice biometric software in terms of authenticating users and the impact of background noise and other factors that could hinder its effectiveness.
Venturo himself is one of the testers. "It works pretty well. I'm optimistic," he says.
The biggest challenge he's observed so far has been the effect of background TV noise. "Other voices that are not quiet in the background can be a bit challenging, because you get voice overlap," he says. However, other background noise, such as the hum of heating and air conditioning equipment, has not affected the software's performance.
In other deployments, Nuance says it has 35 million people using its voice biometrics and the rate of successful log-ins ranges between 95% and 99%. "The reasons for failure are background noise and multiple people speaking at the same time," says Brett Beranek, solutions marketing manager at the software company. In such instances, a backup authentication method needs to be used.
At U.S. Bank, the fallback is the user ID and password, the bank's pre-existing method of authentication.
Venturo stopped short of saying that voice recognition is more secure than traditional passwords.
"Every security approach I'm aware of has different risks associated with it that have to be managed," he says.
There are always trade-offs between security and convenience. Long passwords can be secure, but they're hard to remember and enter.
"Consumers tend to go for things they can remember, so it's not uncommon when we see data breaches to find out a whole bunch of people had the password 'password' or '1234,' " Venturo says.
Beranek says other banks have reduced fraud by implementing voice biometrics. "Some have even publicly reported that they haven't had a single case of fraud since they deployed voice biometrics," he says.
Some bank clients use the technology to secure corporate wire transfers, others to protect transactions for high-net-worth customers. Wells Fargo uses the software in its wire transfer room, comparing incoming spoken passwords against a library of voice prints of "bad actors" to prevent known con artists from executing wire transfers.
"Every system has its pros and cons, whether it's from a convenience or a security perspective, and none of us would claim that voice biometrics is the end-all, be-all of security solutions," Beranek says.
Voice biometric accuracy rates have traditionally been higher than speech recognition, which U.S. Bank has also been testing.
"The problem set is narrower -- with voice biometrics we're doing a one-to-one comparison," Beranek says. The audio file of a customer saying a phrase such as, "my voice is my password," is compared to a recording the person made earlier of that same phrase. In speech recognition, the customer can be saying anything, so the potential word matches are almost infinite.
U.S. Bank's Venturo says there are multiple uses for voice biometrics apart from using it to access accounts. Going forward, it could be used in the bank's voice response unit, in the call center, and as a second factor for higher-risk transactions such as wire transfers. "We believe this has applicability in a number of interesting use cases well beyond the mobile device," Venturo says.