03:30 PM
Biometrics: The End of Authentication as We Know It?
Biometrics -- the science of identifying individuals by their unique physical traits, such as fingerprint, iris and voice patterns -- always has been cutting-edge technology. Sexy, even. But practical for the banking industry? Not so much.
Now, however, the International Organization for Standardization (ISO) has established a standard security framework, ISO 19092:2008, for the use of biometric authentication of individuals in the financial services industry. According to the ISO, the framework introduces the types of biometric technologies and addresses issues concerning their application. ISO 19092:2008 also describes architectures for implementation and provides recommendations for suitable use.
Noting the sheer volume and value of electronic financial services transactions, the Geneva-based standards organization says on its Web site that it created the framework because of the industry's "strong need for an ironclad authentication method." The ISO adds that traditional passwords are too easily compromised.
Christine Barry, research director for Aite Group, says the new standard "is likely to encourage banks to deploy biometrics on a larger scale as they strive to enhance the level of security used to protect valuable customer data." She notes that biometrics "provides many advantages over current methods, such as passwords, which can be easily lost or stolen."
Aite Group estimates that less than 20 percent of financial institutions currently use any type of biometrics, but the Boston-based firm projects that number to jump to 35 percent by the end of 2009, according to Barry. "Most implementations have been behind the scenes and used by bank employees, with only limited uses of the technology at the customer level," she says. Barry adds that "finger scanning has seen the greatest success to date as a result of its low cost, higher level of awareness and high accuracy levels."
Heritage Bank of Commerce ($1.37 billion in assets) is among the banks that already are leveraging biometrics. The San Jose, Calif.-based institution uses fingerprint-recognition technology on its fleet of laptops for staff and board members, according to Larry St. Regis, Heritage's SVP and information services manager, and is preparing to implement Austin, Texas-based IdentiPHI's SAFsolution biometric access control and identity management software on its network. (IdentiPHI purchased the biometrics-based solution from now-defunct vendor Saflink last year.)
The driver behind the move to add biometrics to the bank's network, St. Regis explains, is to guard against internal threats, an area that he contends banks haven't really addressed yet. "Sooner or later," however, "it will become a regulatory requirement," he predicts.
Initially, St. Regis reports, Heritage will deploy SAFsolution for staff network verification as well as access to server rooms and data centers. The bank will leverage fingerprint IDs, although, St. Regis says, "The solution supports pretty much any type of biometrics."
St. Regis adds that there still is "a little uneasiness over retina scans," while most people seem comfortable with fingerprints. "We're looking for opportunities to make our data as secure as possible, and fingerprint technology specifically is going to be very accessible," he says.
Eyeing Biometrics
Despite apparent concerns in the U.S. over retina scans, eye-scanning solutions have seen adoption by global banks, according to Joe O'Carroll, VP of IrisGuard, a Geneva-based provider of iris-recognition systems. Cairo Amman Bank (Amman, Jordan), for example, employs the IrisGuard iBank Suite to authenticate transactions for all of the bank's customers, O'Carroll reports.
Noting that IrisGuard is ISO-compliant, O'Carroll says the solution doesn't alter bank applications. "Through the application program interface, you circumvent passwords and user IDs," he explains. "The bank customer is asked to look into the camera -- the camera is automatically enabled -- and the eyes are captured, producing a strong authentication. Then the customer is presented with a service screen."
The iris-scanning solution is a natural fit for bank security, O'Carroll contends, because, "You have proof of who carried out the transaction." He adds that IrisGuard has carried out 16 trillion cross-comparisons without a false accept.
An early player in banking biometrics was Diebold's PassVault system, which recognizes palm prints to grant entry into the safe deposit area of financial institutions. Beaverton, Ore.-based First Tech Credit Union ($1.6 billion in assets) implemented PassVault in 2007. According to Jim Mongrain, the credit union's corporate facilities manager, members got "a real kick out of the high-tech idea of hand scanning." In additon, customers seem to appreciate the reduced wait time and increased privacy, since no staff members are involved either in accessing the vault area or in opening the boxes, he reports.