Biometrics attracts few takers
- 27 February, 2008 22:00
Biometrics - the use of biological identification such as retinal scans, voice recognition or fingerprint imaging to validate a person's identity - has been billed as a cost-effective and robust method of reducing identity fraud. But surprisingly few organisations have moved past the pilot project stage.
Early this month, the International Organisation for Standardisation published a benchmarking standard for financial services companies seeking to adopt biometric authentication as part of their security processes.
The new standard, known as ISO 19092:2008, sought to provide a security framework for using biometrics for authentication of individuals in financial services, spelling out the variety of biometric technologies available and the potential security problems arising from their use.
In a statement accompanying the release, ISO said the volume and value of transactions performed electronically exposed the financial community and its customers to severe risks from accidental or deliberate alteration, substitution or destruction of data.
The new standard addresses issues including the usage of biometrics for the authentication of employees and persons seeking financial services; the validation of credentials presented at enrolment to support authentication as required by risk management; management and security of biometric information across its life cycle, and the application of biometrics for logical and physical access control.
The chairman of the ISO subcommittee that developed the standard, Mark Lundin, said it offered a valuable international consensus-based tool to the financial industry that would encourage the secure implementation of biometrics as an authentication method within this sector.
"This standard is one step ahead, paving the way for the next generation of safer and more reliable financial transactions, increasingly important in today's electronic era," Mr Lundin said.
But concerns about the reliability of biometrics and whether an organisation's customers will take kindly to having their body parts scanned continue to hold developments in check.
An executive security consultant at Commonwealth Bank of Australia, Paul Cresswick, said he welcomed the publishing of the ISO standard; it would provide guidance to the financial sector as it sought to invest in the technology.
He said he believed voice recognition software would be the easiest area of biometrics to deploy and use, but the bank had no biometric trials under way.
"Until recently there have been very few robust technologies capable of being securely implemented," Mr Cresswick said. "But the obvious point of interaction is customer identification and verification in telephony systems such as telephone banking and help desk.
"Voice biometrics offers a customer an understandable and unobtrusive collection regime and can be applied to the various customer-facing telephone channels without having to deploy devices to specifically capture the biometric data such as fingerprint scanners. As a bank we place huge importance on the integrity and privacy of our customer data and would see biometric information in the top tier of sensitivity."
The manager of information systems assurance at global accounting firm BDO Kendalls, Craig Wright, said most organisations were now considering using two-factor authentication - the use of two separate methods of security together - to overcome the failings of validation schemes.
Biometrics could become one aspect of an organisation's security regime alongside traditional methods like passwords.
The average biometric would incorrectly identify, or provide a "false positive" rate of 0.01 per cent. This meant that one in every 10,000 fraudulent authentication attempts would succeed. This compared with a six-character password that would be guessed in one in 100 billion attempts, therefore a combination of both methods would provide a strong defence.
"The benefit of the biometric scheme is that you cannot lend out your finger, you cannot write it down and it will not stay on a Post-it note," Mr Wright said. "Both methods have benefits and flaws; only when used in conjunction with one another are they able to provide a level of secure authorisation."
The new ISO standard was unlikely to have much of an impact in the Australian business community, Mr Wright said. He added the wide variety of standards that already exist in various technology disciplines were usually ignored unless non-compliance would result in directors going to jail. He estimated that less than 15 per cent of companies met their legislative IT requirements.
Yet no one is publicly writing off biometrics and it remains to be seen whether greater publicity of success stories will make an impact on Australian technology executives.
Pay TV operator Austar told MIS Magazine last August that it had shaved $11 million from its operating costs while improving customer experience with a voice-recognition system that streamlined its phone-based, movie-ordering systems.
Meanwhile, technology analysts Forrester Research released a survey of 347 North American contact-centre strategists that found that 44 per cent of respondents had implemented - and 28 per cent were in the process of implementing - speech recognition-based response systems.
The technology director of listed insurance firm Calliden Group, Glen Hickey, said the main reason he had not yet implemented biometrics was cost and convenience.
He said before proceeding he would need to know more clearly what the overall expense would be and, more importantly, how his customers would respond.
Mr Hickey said the new ISO standard was unlikely to have any impact on technology buying or planning patterns.
"My opinion is that it is a nice standard, now back to the real world," he said.
"We can convince our employees and even suppliers to adopt leading-edge technology even if it is inconvenient, but our customers know exactly what they want and it is not inconvenience."
© Fairfax Business Media