As electronic options for financial services continue to expand, so do security concerns. Are biometrics the answer?
Historic standards for authentication hinge on three common types of validation:
- Something known, including passwords or pin numbers.
- Something physically possessed, including smartcards or tokens.
- Something unique to you, including your voice or fingerprint.
In a time when personal knowledge and possessions are shared, stored, and even occasionally stolen, the value of physical verification unique to you can be a clear advantage.
As new standards come down from the Federal Financial Institutions Examination Council, tightening up the expectation for advanced multi-factor authentication, biometrics could be getting a second shot at prominence among financial institutions.
Roughly defined as “the process by which a person's unique physical and other traits are detected and recorded by an electronic device or system as a means of confirming identity,” the concept draws from low tech roots as far back as the 1800s.
Modern solutions may focus on a person’s appearance, like their face, fingerprint, or vascular structure, or their behavior, like the way they speak, type, or sign their name. Credit unions first rolled out member-facing biometrics in the late 1990s, but high implementation costs and undeveloped solutions kept many undecided about implementation.
Today, government buy-in and declining technology costs have made these options more affordable than in the past, but achieving cost validation or even potential cost savings depends on how biometrics will be used and why.
For instance, Desert Schools Federal Credit Union ($2.9B, Phoenix, AZ) uses members’ voices, synched from a recorded voicemail, to verify and validate high risk transactions like wire transfers or password resets in a 24-7 call center scenario.
Bay Federal Credit Union ($650.9M, Capitola, CA) uses a biorhythm solution for its online transactions, measuring “how fast or slow you type each letter, how hard you press each key, how long you hold down the key,” to confirm users identity and cut down on costly fraud or other vulnerabilities.
Some solutions also focus on back-office authentication, which is important, since employee related breaches and data theft can be a significant issue.
A 2011 study by the Ponemon Institute, a Michigan-based data protection and information security research center, found that 30% of businesses surveyed had been the victim of actions by malicious insiders, to an average annualized cost of more than $100,000. A 2009 study revealed more than 59% of ex-employees surveyed stole company data when leaving the job and 35% had access to the system for a week or longer after termination.
It may also be more feasible from a cost standpoint to train employees on biometric technology, rather than your entire membership base, which can expand and experience other changes much more rapidly.
For a deeper discussion of authentication and security strategies in mobile and online channels, look out for the forthcoming 4Q 2011 Technology@CU, a supplement to Callahan & Associates’ CUSP that focuses on innovative technology within the credit union industry.