Biometric authentication projects seemed to crop up a lot in financial services industry this year.
So far, they have all been limited engagements — they give customers more options and have the potential to boost security, but are incremental moves. What would it take for biometric authentication to become routine and common, and eventually take the place of the insecure and easily guessed or stolen password?
1. More devices would need to be compatible.
"We're still in the very early days of using biometrics," said Mark Nelson, senior vice president of risk and authentication products at Visa. "I have four devices — a desktop, laptop, tablet and a phone—and only one of them has biometrics capability. When we talk about true mainstream, and being able to truly use biometrics to eliminate passwords, we're still a long ways off from that."
Any smartphone with a camera can handle voice and facial recognition. Fingerprint capture requires biometric sensors (iPhones and some Android phones have this).
Visa is working with the identity management software company Bioconnect on an authentication-as-a-service through which the card organization would vet biometric providers and providers and help integrate those products with member banks' mobile banking apps. It plans to include fingerprint, voice, and facial recognition and is looking at the vendors Nuance, Morpho, Daon and EyeVerify. Each bank would store its own customers' biometrics.
The overall biometrics market is expected to grow from $9.58 billion in 2015 to $31 billion by 2023, according to Global Market Insights.
2. Consumers would have to give up their qualms about biometrics.
People who have seen the movie "Minority Report" or read the book "Angels and Demons" sometimes say, I can reset my password but I can't reset my voice, iris, fingerprint or face.
"That is something that is hard to answer, because it's true," Nelson said. "And people will have that feeling for quite some time."
Most of the biometric solutions out there, however, encrypt the data.
They also include tests for "liveness" so that you couldn't chop off someone's finger, surgically remove their eyeball, record their voice or take a picture of them to impersonate them.
"There is a lot of liveness detection that goes on, but the general consumer is not going to be aware of that," Nelson noted.
Many vendors also capture biometrics in a way that only their software can read them, they can't be reused elsewhere. A voiceprint generated by Nuance, for instance, couldn't be read by any other voice recognition software.
3. Banks would have to offer multiple options, to overcome the weaknesses of each method.
No biometric based on a physical trait has yet been able to completely replace the username and password, because each has its weakness.
Fingerprint recognition doesn't work when it's wet or cold out. (Frankly, my iPhone almost never recognizes my fingerprint, even in the best of conditions.) Voice recognition doesn't work in very noisy environments. Behavioral biometrics may not work when someone has a broken hand or is very ill (or is drunk, but maybe that's just as well). Facial, eye vein and iris recognition don't work in extremely dark or bright conditions.
This means that banks that offer biometric authentication also have to offer password bypass — the ability to use a password or PIN to get around a biometric check. This significantly waters down security and it means you can't use most biometrics to replace passwords, yet. If a hacker can easily default to a stolen or guessed PIN, there's no added security at all.
But if banks offer several choices, the odds increase that one of them will work.
4. It has to be easy to use.
Making login to mobile or online banking more difficult obviously won't go over well with consumers.
"Think of facial recognition, which is popular, but it takes more time," said Ohad Maimon,executive vice president of business development and strategy at Leumi Card. "You have to stop, take an action, operate your camera and take a selfie, and it's very intrusive. Think about the iris scan. It stops you, it's not natural and it's not seamless."
That makes passive forms of biometrics increasingly appealing. Such forms would include behavioral biometrics, which capture users' finger movements, the angle at which they typically hold their phone, the amount of pressure they apply to the screen, and such to identify them. There is also passive voice recognition, where software analyzes users' voices as they are speaking without having them say a defined word or phrase.
Bank Leumi recently implemented behavioral biometrics for its Leumi card app. It's using SecuredTouch; another provider is BioCatch.
"The beauty of behavior is that it's both natural and seamless," Maimon said. "You're not changing the way you behave to authenticate yourself. I think the future of security measures will be something that is seamless and constant. Therefore I believe the behavioral biometrics is the key for the next thing in security and it will prevail over voice, ID scan, face scan or iris scan."
TD Bank recently went live with voice biometrics in its call centers in the U.S. to tackle the growing challenge of fraudsters socially engineering call center reps to get them to reset passwords or divulge sensitive information.
"We know the balance between exceptional customer experience and security is a very fine line," said Robert Ghazal, head of U.S. contact centers at TD Bank. "As fraudsters become more aggressive and skilled in various areas, anything we can do to mitigate those losses is something we have to look at."
When customers first enroll in voice authentication, they speak normally while the software captures their voiceprint — on average this takes two and a half to three minutes. Then they are read a disclosure where they have to agree to opt in. Enrollment rates are above 90%, Ghazal said. Within the first four weeks, 200,000 customers signed up. (TD Bank uses technology from Nuance. Other providers include Daon, Agnitio and VoiceTrust.)
In future calls, the software analyzes the customer's voice and compares it against recordings on record; typically this takes 12 to 15 seconds. Many customers have enrolled and then called back immediately to see if the system works, Ghazal said.
The technology is connected to the bank's mobile app. If app users tap the "call us" button, they come through authenticated and go to the front of the call center queue.
"The rationale behind that is we know a customer who calls us on their mobile device is usually in a rush and it's usually because they're attempting to self-serve and something has gone wrong," Ghazal said. "That customer's requirement for speed and efficiency in dealing with their problem is typically a little higher than someone who just calls in on the normal line."
The bank also keeps a database of all callers who turn out to be fraudsters, so when they call back, they are readily identified.
If the voice of someone who has enrolled in voice biometrics can't be identified due to background noise or a poor connection, the bank goes through a backup authentication process involving challenge questions or having someone authenticate themselves in the app.
Ghazal said biometrics will not become mainstream until they work with all the technologies consumers use, including Amazon Echo and Google Home.
"At the end of the day, what's going to win is ease," he said. "What's simple, safe and packaged in a manner that people won't be scared of it."
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.