An industry group recently launched a project to analyze how biometrics could strengthen customer identification and help thwart fraud.
The Financial Services Technology Consortium's (FSTC) biometrics initiative aims to provide banks with a better understanding of the current state of biometrics and how the technology could make it harder for fraudsters to steal someone's identity or take over accounts, said Dan Schutzer, FSTC executive director. Banks have been piloting biometrics, he said.
"It's clearly the third companion for stronger authentication: something you know, something you have, and something you are," he said.
FSTC, based in New York, is a group of North American-based financial institutions, vendors, research organizations and government agencies. Its members include Citigroup Inc., Wells Fargo & Co. and JPMorgan Chase & Co.
The project will look at the various types of biometrics, their cost and performance, and what applications they could best be applied to, Schutzer said. The technology will be analyzed for its use online, in call centers and in retail branches.
"It's a fairly complex subject. Different biometrics are better suited for different applications and channels," he said. For example, voice biometrics would be the natural candidate for improving authentication in a call center.
The initiative will also explore the possibility of a shared database with biometric data of known fraudsters, which could help financial institutions prevent both insider and external fraud, Schutzer said.
Cost and maturity concerns have been holding banks back from deploying biometrics, he said.
"Customer acceptance is tremendously important," he said. "You want to make sure you're adding convenience as well as security for the customer, so they're more likely to pick up on it. If you make something too hard and too onerous, they won't want to do it."
Mark Diodati, a senior analyst for identity management and information security at Burton Group, said U.S. banks have steered clear of biometrics.
"It's simply a non-starter in the online retail banking space," he said. "The reason is that consumers absolutely refuse to use a hardware-based authentication mechanism and if they refuse to use a one-time password device, which is portable and doesn't install any client software, you can bet they really don't want to use biometrics."
Not only will a biometrics system require the installation of software, it also will likely mean hardware troubleshooting in order to work, he said.
Iris scanning has some potential for ATM use, but banks are still a long way from deploying it, Diodati said.
"There's not only a technology problem with that, but a huge process problem," he added. "How are you sure the biometric sample actually belongs to the person you think it does?" Such a system would require some identity proofing that would bind the user's identity to the iris template, he said.
Banks are also reluctant to use biometrics internally, favoring either one-time password devices or smart cards for employee authentication, Diodati said. One sector where biometric authentication systems have been deployed is healthcare, he added.