Biometrics are shifting past banks and joining fingerprints and faceprints as a way to confirm employee and customer identities.
As working from home moves from a temporary resolution to the new normal, companies need new ways to
. Banks are most likely to use voiceprints to authenticate users but more companies are considering this approach.
Nuance Communications uses a voiceprint algorithm powered by a deep neural community to analyze 1,000 parameters of an individual’s voice, including tone, pitch, pacing and fluctuations in the sound. The engine determines which parameters are most relevant for each individual and weights the appropriate elements accordingly.
Simon Marchand, chief fraud prevention officer at Nuance, worked in fraud prevention for 10 years in the financial and telecom industries. He said the company’s voice authentication resolution is device and channel agnostic.
“We are measuring the parameters of somebody’s voice that makes them sound unique, regardless of the language, and creating a unique voiceprint for each individual,” he said.
Another analysis runs at the same time to gaze for anomalies in the recording that can spot vocoders, synthetic speech, or a voice that has been sampled.
SEE: A passwordless prospective isn’t close-it’s here
The technology can identify actual clients as well as fraudsters. Marchand said the verification process takes a half second and most clients aren’t even aware that the check is happening.
“When you call back, we match your voice against that voiceprint to confirm your identity,” he said.
Some banking clients are using the security check inside an app to verify banking transactions, such as wire transfers of large quantities of money.
“Customers speak a quick sentence to unlock the transaction so there’s no need for pins or 1-time passwords,” he said.
In this use case, voiceprints are stored on bank’s servers in a central repository, which means 1 biometric factor works across multiple channels.
Ant Allan, a Gartner Research vice president, said biometrics are broadly used in banking as a replacement for a password or other kind of knowledge for customer authentication in mobile banking apps.
“We project that biometric methods will be an necessary component of passwordless multifactor authentication in FIDO2 or proprietary implementations,” he said. “While a PIN native to the endpoint or authenticator can be used, rather than a centralized password, a biometric method is an alternative to anything that looks like a password.”
SEE: Remote cybersecurity concerns and labor shortages are top concerns in a new SMB report
Marchand said this approach allows security teams to shift from protection to offense.
“Millions of dollars across thousands of victims are tied to a small group of individuals,” he said. “We want to bring the fraud cases under a small number of identities and work with government businesses to find and prosecute them.”
The company also has an algorithm for monitoring chat sessions to spot suspicious requests.
“We use this conversational print technology for both sides of the interaction,” Marchand said. “It looks for requests to wire funds to a bitcoin account or change a SIM card.”
Some clients use the system to guess the age of a caller and move those clients ahead in the queue.
“The system also can identify elder abuse, such as anticipating to hear an 85-year-old but the call is coming from a 35-year-old,” he said. “It could be legitimate and coming from a caretaker, or it could be somebody trying to take advantage of an aged person.”
As with most security measures, user experience has a direct influence on the effectiveness of the resolution. Gartner recommends that organizations offer a choice of biometric authentication methods.
“Not everybody can reliably use Touch ID on an iPhone, and (fingerprint) performance varies in some environments,” he said. “Voice might not work well in noisy environments or when somebody cannot speak.”
Improving security for brokers working from home
According to 2018 research from the business insurance company Hiscox, theft by representatives costs businesses an average of $357,650 per incident and lasts 2 years. Only 39% of stolen funds were recovered on average and managers and other senior leaders dedicated 85% of the cases.
Using voiceprints for security can reduce this internal fraud, Marchand said, particularly when representatives are working from home.
“Companies would use it to monitor the voice of the agent and the customer to make sure it’s always an agent speaking on behalf of the company or to secure an app or an online portal,” he said.
Marchand has also seen companies lock customer files with the customer’s voiceprint to make sure no 1 is accessing the account after business hours or taking notes on a particular file.
SEE: Two-factor authentication: A cheat sheet
“That’s starting to be more of our conversations as working from home becomes more of a everlasting state,” he said. “Companies are starting to just lock everything up because if the customer is not on the line there’s no reason to show the information.”
Marchand also has noticed an increased interest in using voice authentication for online payments in conjunction with existing security protocols.
Pros and cons of biometric authentication
Forrester Vice President Merritt Maxim, said that voice authentication has been around for a while, is the least intrusive of biometric solutions and doesn’t require any specialised hardware.
“For any organization that has invested in an IVR phone system, such as a bank, layering in the voice protection into that system is straightforward,” he said.
Maxim said he is definitely looking more interest in voice authentication, including use cases for identity verification as part of the process of receiving public benefits.
“Some of the aged inhabitants may not have a smart phone so they couldn’t use a finger or faceprint for verification,” he said. “Several countries have used this approach to reduce fraud and the user experience is straightforward.”
Gartner’s Allan said biometric authentication is generally useful across all industries but is particularly necessary in sure industry verticals and use cases:
- Where higher accountability, non-repudiation and segregation of duties is required and biometric traits cannot easily be shared as easily as passwords and physical tokens, such as with drug trial data and chain of custody of electronic proof.
- Where touchless or deviceless authentication is desired in healthcare settings or clean rooms.
- Where biometric data can be captured during onboarding and combined with document-centric identity verification tools, primarily in banking and other financial services.
Demographic bias is another factor to consider when implementing biometric security methods, Allan said. He used the examples of gait recognition, which might not work as well with women as with men because of the greater variation in women’s footwear, and face recognition, which might not work as well with people with darker skin.
“These biases originate in the design of the machine-learning algorithms used in these tools, in the training data, and in the populations used in testing,” he said. “Vendors are generally taking steps to address these issues.”
Allan also stressed the significance of presentation assault detection, which is the ability of biometric security measures to determine if a sample is being captured from a dwelling subject present at the point of capture.
SEE: Execs don’t sound very confident about lengthy-term community security in the WFH era
“A biometric method that cannot discriminate between a live subject and a facsimile (picture, video, mask, recording, or a synthetic sample) provides tiny security value, however correct it is,” he said. “With efficient PAD in place, the risk arising when an attacker ‘discovers’ your fingerprint is significantly lowered, and well inside the risk appetite of most firms.”