Banking on Voice Biometrics
New Year's Eve marked the deadline for compliance to Federal Financial Institutions Examination Council (FFIEC) guidelines for authenticating users of online banking services. So naturally, banks have stepped up their evaluation of alternative ways to harden security on their online banking services. However, the most farsighted financial institutions don't stop with their online services; they recognize the value of installing resources that can be leveraged across multiple touchpoints throughout the enterprise.
Even though use of online banking has experienced explosive growth in the past year, contact over the telephone— through interactive voice response (IVR) platforms and live, contact center agents—still accounts for a significant percentage of customer care contacts. That's why the use of voice biometrics, integrated with a multimodal strategy for customer care, is starting to look so attractive.
Banks and financial institutions are not monoliths; they are often of two minds when it comes to preferred practices. Their marketing departments, rightfully, put an emphasis on user convenience. Security executives correctly emphasize strong methods for fraud prevention. Their stalemate was broken with the FFIEC guidelines that included a few real-world examples, illustrating both a layered approach (to prevent man-in-the-middle types of spoofing) and two-factor authentication to reduce identity fraud.
Guidelines from quasi-regulatory bodies are often treated as nice-to-know data points for financial executives. However, in mid-2006, the Federal Deposit Insurance Corporation (FDIC) made it clear that banks would have to make specific changes to online security methods and practices to qualify for federal insurance in 2007. Hence, the urgency and stepped-up activity among banks and financial institutions looking for compliant solutions.
Nothing to Fear but FUD Itself
During the past year, the chorus of analysts, auditors, and technology providers have done little more than add to an atmosphere of fear, uncertainty, and doubt (FUD). Chief among the criticisms have been observations that most of the technologies are immature, and therefore not ready for mass deployment.
A second set of criticisms revolves around a shift in the nature and mix of fraudulent acts being perpetrated by wrong-doers. Many of the proposed solutions do little to prevent the new generation of phishing attacks (where real people are misdirected to fraudulent resources) or those insidious spyware attacks where keystrokes are captured, building a database of personal information and passwords that can later be used for identity theft.
Adding to the chorus of FUD are concerns about physical, one-time, password-generating tokens that can be lost, stolen, or otherwise compromised. And finally, many pundits strongly believe that users will be repelled by any form of enrollment process that proves to be time-consuming or an invasion of their privacy.
Complete solutions abound, but will not be readily apparent until there are more deployments to serve as case studies and reference accounts. Government agencies, such as tax authorities and welfare agencies, are starting to use voice biometrics in the context of strong authentication. Banks will be next. They will be followed by healthcare providers, insurance companies, and brokerage houses.
In that respect, the maturation of speaker verification and authentication will continue as standards are established and ratified. Efforts by organizations such as the American National Standards Institute and the adoption of strong authentication within the Identity 2.0 crowd through the emerging OpenID standard will drive real-world application through clear and effective authentication methodologies.
In shaping future adoption of voice biometrics into user-authentication schemes, FFIEC compliance is a catalyst, but it is by no means the only one.
Dan Miller is the founder of and a senior analyst at Opus Research. He published Telemedia News & Views, a monthly newsletter featuring developments in voice processing and intelligent network services. Contact him at email@example.com.
Companies and Suppliers Mentioned