Banks inch towards voice authentication
The majority of Internet banking customers currently access their accounts using a username and password, but this is expected to change as banks look to cost-effectively address customer concerns about security.
Geoff Johnson, vice president of research, enterprise networks, at Gartner Asia Pacific, said that although voice authentication on its own is "bottom of the heap" as an alternative to tokens and biometrics, it makes a very useful -- and cost effective -- third layer of security to back up two-factor authentication systems such as passwords and tokens.
"Voice verification in this context makes a lot of sense. All of a sudden you have gone from two-factor to three-factor verification. If you look at the probability of failure, you have reduced it very substantially," said Johnson.
Victoria-based Bendigo Bank, which was one of the first Australian banks to introduce a token-based authentication system for its business customers, is considering the move to voice verification.
Bendigo's senior manager of online solutions, Ross Murray, told ZDNet Australia that although tokens are commonly used by enterprises for allowing secure access to corporate networks, the cost of providing and managing the tokens make the system prohibitively expensive for all but the largest customers.
"You probably wouldn't want to do it to protect the US$50 phone bill but for an AU$10 million transfer of funds overseas, you might do," said Murray.
However, Murray said that voice authentication is being seriously considered for the future.
"We were the first ones to make [tokens] widely available to all customers... We are still looking at other technologies... I doubt we would do DNA or fingerprints because they tend to work far better for physical security to stop people from getting in or out of buildings but probably voice recognition is something we are looking at," said Murray.
Baby steps to voice authentication
The move to voice authentication is likely to be made in little steps, according to Kevin D'Souza, architecture director for global financial services at Unisys, who said that a number of well known Australian banks are evaluating new access control systems that could easily be upgraded to include voice-based authentication.
D'Souza described a technology developed by security software vendor ValidSoft that further authenticates customers after they have entered their username and password by calling their mobile phone and asking them to enter a pin number. If the PIN is correct, they are given a one-time code to type into the browser and unlock their account.
D'Souza said the system could easily be adapted to recognise a special phrase or sentence instead of the PIN: "[voice authentication] is not part of the ValidSoft solution today but it could be integrated into it."
Cindy Nicholson, managing director for Australia and Asia at ValidSoft, told ZDNet Australia that one "leading Australian investment bank" has already signed a contract to deploy the technology and more are expected to follow.
"There are the big four Australian banks and we are in a formal evaluation process with three of those... We have also responded to an RFP (request for proposal) from a New Zealand bank -- there is a lot of activity right now," said Nicholson.