Biometrics are moving beyond banks and joining fingerprints and faceprints as a way to confirm employee and customer identities.
As working from home moves from a temporary solution to the new normal, companies need new ways to. Banks are most likely to use voiceprints to authenticate users but more companies are considering this approach.
Nuance Communications uses a voiceprint algorithm powered by a deep neural network to analyze 1,000 parameters of an individual's voice, including tone, pitch, pacing and fluctuations in the sound. The engine determines which parameters are most relevant for each individual and weights the appropriate elements accordingly.
Simon Marchand, chief fraud prevention officer at Nuance, worked in fraud prevention for 10 years in the financial and telecom industries. He said the company's voice authentication solution is device and channel agnostic.
"We are measuring the parameters of someone's voice that makes them sound unique, regardless of the language, and creating a unique voiceprint for each individual," he said.
Another analysis runs at the same time to look for anomalies in the recording that can spot vocoders, synthetic speech, or a voice that has been sampled.
The technology can identify actual customers as well as fraudsters. Marchand said the verification process takes a half second and most customers aren't even aware that the check is happening.
"When you call back, we match your voice against that voiceprint to confirm your identity," he said.
Some banking customers are using the security check within an app to verify banking transactions, such as wire transfers of large amounts of money.
"Customers speak a short sentence to unlock the transaction so there's no need for pins or one-time passwords," he said.
In this use case, voiceprints are stored on bank's servers in a central repository, which means one biometric factor works across multiple channels.
Ant Allan, a Gartner Research vice president, said biometrics are widely used in banking as a replacement for a password or other kind of knowledge for customer authentication in mobile banking apps.
"We project that biometric methods will be an important component of passwordless multifactor authentication in FIDO2 or proprietary implementations," he said. "While a PIN local to the endpoint or authenticator can be used, rather than a centralized password, a biometric method is an alternative to anything that looks like a password."
Marchand said this approach allows security teams to shift from defense to offense.
"Millions of dollars across thousands of victims are tied to a small group of individuals," he said. "We want to bring the fraud cases under a small number of identities and work with government agencies to find and prosecute them."
The company also has an algorithm for monitoring chat sessions to spot suspicious requests.
"We use this conversational print technology for both sides of the interaction," Marchand said. "It looks for requests to wire funds to a bitcoin account or change a SIM card."
Some customers use the system to guess the age of a caller and move those customers ahead in the queue.
"The system also can identify elder abuse, such as expecting to hear an 85-year-old but the call is coming from a 35-year-old," he said. "It could be legitimate and coming from a caretaker, or it could be someone trying to take advantage of an elderly person."
As with most security measures, user experience has a direct influence on the effectiveness of the solution. Gartner recommends that organizations offer a choice of biometric authentication methods.
"Not everyone can reliably use Touch ID on an iPhone, and (fingerprint) performance varies in some environments," he said. "Voice might not work well in noisy environments or when someone cannot speak."
Improving security for agents working from home
According to 2018 research from the business insurance company Hiscox, theft by employees costs businesses an average of $357,650 per incident and lasts two years. Only 39% of stolen funds were recovered on average and managers and other senior leaders committed 85% of the cases.
Using voiceprints for security can reduce this internal fraud, Marchand said, particularly when employees are working from home.
"Companies would use it to monitor the voice of the agent and the customer to make sure it's always an agent speaking on behalf of the company or to secure an app or an online portal," he said.
Marchand has also seen companies lock customer files with the customer's voiceprint to make sure no one is accessing the account after business hours or taking notes on a particular file.
"That's starting to be more of our conversations as working from home becomes more of a permanent state," he said. "Companies are starting to just lock everything up because if the customer is not on the line there's no reason to show the information."
Marchand also has noticed an increased interest in using voice authentication for online payments in conjunction with existing security protocols.
Pros and cons of biometric authentication
Forrester Vice President Merritt Maxim, said that voice authentication has been around for a while, is the least intrusive of biometric solutions and doesn't require any specialized hardware.
"For any organization that has invested in an IVR phone system, such as a bank, layering in the voice protection into that system is straightforward," he said.
Maxim said he is definitely seeing more interest in voice authentication, including use cases for identity verification as part of the process of receiving public benefits.
"Some of the elderly population may not have a smart phone so they couldn't use a finger or faceprint for verification," he said. "Several countries have used this approach to reduce fraud and the user experience is straightforward."
Gartner's Allan said biometric authentication is generally useful across all industries but is particularly important in certain industry verticals and use cases:
- Where higher accountability, non-repudiation and segregation of duties is required and biometric traits cannot easily be shared as easily as passwords and physical tokens, such as with drug trial data and chain of custody of electronic evidence.
- Where touchless or deviceless authentication is needed in healthcare settings or clean rooms.
- Where biometric data can be captured during onboarding and combined with document-centric identity verification tools, primarily in banking and other financial services.
Demographic bias is another factor to consider when implementing biometric security methods, Allan said. He used the examples of gait recognition, which might not work as well with women as with men because of the greater variation in women's footwear, and face recognition, which might not work as well with people with darker skin.
"These biases originate in the design of the machine-learning algorithms used in these tools, in the training data, and in the populations used in testing," he said. "Vendors are generally taking steps to address these issues."
Allan also stressed the importance of presentation attack detection, which is the ability of biometric security measures to determine if a sample is being captured from a living subject present at the point of capture.
"A biometric method that cannot discriminate between a live subject and a facsimile (photo, video, mask, recording, or a synthetic sample) provides little security value, however accurate it is," he said. "With effective PAD in place, the risk arising when an attacker 'discovers' your fingerprint is significantly reduced, and well within the risk appetite of most firms."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)