Biometrics: the time is now
Biometrics, the science of identifying people by physical or behavioural characteristics, has been a successful technology in criminal justice for decades. It has increasingly become commonplace when travelling and even in interactions with many civil government organisations.
The use of biometrics in the enterprise has been much slower in coming, but recently the investment case has begun to swing in favour of commercial deployments in both staff and customer facing systems.
The drivers for biometric deployments are fairly universal: the increasing need for improved security and data protection compliance, coupled with a desire to reduce costs through automation.
Securing the least secure channel
The financial services industry has significantly strengthened the internet and physical channels through programmes such as Verified by Visa and Chip and PIN. This has left the voice channel as a significant, poorly protected target; the first figures collated on phone banking fraud by the UK Cards Association measured this at £12.10 in the UK in 2009. Current call centre processes are also expensive as caller authentication can take up to four minutes, at an average cost to the organisation of $1 per minute. Given the volume of calls, the cost of telephone identity authentication is projected to be over $500m in Australia alone, according to Dr Clive Summerfield, CEO of Auraya Systems.
Speaker recognition technology is now in a position to reduce this burden, leveraging the significant investment that companies have made in Interactive Voice Response systems.
Many private sector and government organisations are adopting voice biometrics in order to reduce call centre costs and improve customer service, with a number of Australian banks in the process of purchasing systems. Speaker authentication can secure the voice channel against social engineering attacks, which are becoming more prevalent with the commoditisation of personal information, thanks to social networking. This authentication is typically carried out on-shore, prior to a call being transferred to an off-shore contact centre, preventing sensitive authentication data being passed overseas and improving compliance with privacy regulations. For additional convenience and security, customers' 'personal information' questions can be recorded by the customer and spoken in any language – this is especially valuable for multilingual contact centres or where businesses have overseas customers.
Social acceptability of the technology appears to be high, most likely due to the familiarity with IVR systems which resemble speaker recognition systems in customer interaction. An early adopter of biometrics, to improve authentication security, was Centrelink, an agency of the Australian Federal Government, which delivers a wide range of payments and services, including crisis referrals and disaster response services
The Centrelink solution has allowed it to not only strengthen identity authentication and enhance privacy compliance in its call centres, but also to automate a number of routine transactions and provide these on a 24/7 service to applications which would previously have needed agent assistance. These include such transactions as 'change of address' which, whilst relatively easy to automate (using speech recognition), could not be deployed because there was no way to adequately authenticate caller identity.
With voice biometrics, however, caller identity is assured and as a consequence such applications can be safely deployed, not only enhancing service levels, but also increasing the efficiency of the contact centre.
Reducing losses through employee fraud
The problem of payroll fraud is endemic in many businesses with large casual workforces, particularly in construction and heavy industries.
Figures from the UK construction industry suggest that fraudulent claims (including buddy punching and ghost working) can comprise up to 6% of wage bills. In this context, biometrics provides a method for securely combining time and attendance monitoring with physical access control.
Prevalent technologies being used are facial recognition, hand geometry and vein recognition (such as PalmSecure® or finger vein).
Enrolment of employees typically occurs during the usual HR joining process; this strongly binds a single person with their employment record and presented documents. In day-to-day operation employees will identify themselves via the biometric solution, preventing employee substitution and automating the collection of accurate time and attendance information.
Whilst countering employee payroll fraud is the principal driver in the deployment of these systems, adopters tend to also benefit in other areas. Firstly, legislative compliance is significantly improved; including ensuring all persons on site have auditable right to work checks, have been through site training and induction, and that necessary qualifications have been checked and linked to the individual.
Secondly, site security tends to be improved through the deployment of linked time and attendance and physical access control, this is principally because of the inability for access cards to be lost or lent to others, improving compliance in terms of site access. Other sectors such as healthcare and education are likely to adopt similar solutions in the medium term to ensure awareness of those entering or leaving site for safety reasons.
Reducing the cost of password management: two approaches
Managing user passwords is an expensive business. In large enterprises, password resets average at 1.5 calls per user, per year, or 30% of helpdesk calls. Case studies put the cost for some companies as high as $600,000 per year, plus the cost of lost productivity for the affected employees. Two schools of thought have arisen to combat this problem: automate the reset process or do away with passwords altogether.
Many enterprises have attempted to automated password resets through self help portals, either accessed from the login screen, or via standalone terminals in offices. However, portals are designed primarily for fixed office environment and are ill suited to the growing groups of largely mobile workers. User acceptance of portals is also problematic, as many users will, by default, use the current help desk number if it remains available. In this context, voice biometrics provide a clear opportunity for enterprises to augment their existing help desk systems in a manner that remains intuitive for users and diverts unnecessary help desk calls. Typically the system changes needed to the existing infrastructure are small and the speaker recognition components compare favourably in price to other biometric implementations. Pricing options include per enrolee, or per call charging, allowing customers to ensure payment is by results.
The other option is to integrate biometrics directly with an enterprise class identity and access management tool, deploying biometric readers direct to the user's desktop.
A wide range of biometrics are supported by products such as IBM's Tivoli suite, most commonly deployed are fingerprint and vein because of their size and ease of deployment in a typical office setup. Using biometrics for logical access control is particularly suited to enterprises with a traditional desktop based infrastructure where there is less need to accommodate mobile users or those with specialist desktop arrangements.
Early adopters of biometric logical access control have been contact centres, financial services and healthcare providers. These organisations need to be able to demonstrate much more explicitly their compliance with access to records and have had a history of problems with password sharing between temporary or casual employees. It is likely that the next group of adopters are likely to be other regulated industries or government agencies, where clear adherence to data protection principals is vital.
Identity in the cloud
As more enterprises offer and consume cloud or cloud-like services, there arises both risk and opportunity in the use of 'identity'. On the risk side, in the cloud it becomes increasingly difficult to establish a distinct identity for consumers of services and prompts a rethink of how access to services is controlled. A number of providers are developing solutions to this quandary by enhancing their enterprise identity management tools to include biometrics. This will expand in the coming years to incorporate more tools for biometric authentication in mobile devices, to provide the same assurance on the move as in the office.
The advantage of identity services in the cloud is that it lowers the cost of deployment for those enterprises wishing to add biometrics into their IT environment. Companies such as VoiceVault already make their services available in an on-demand manner via web services and it is likely other vendors will follow suit.
It is likely that biometric based identity and access management solutions will form part of the offerings for Desktop as a Service (DaaS) offerings from major providers, again providing economies of scale for consumers of outsourced IT services.
Commercial biometrics: the time's now
Biometric technologies have now reached a stage where they are mature and widely deployed across the public sector. This has led to much greater public exposure to and acceptance of these technologies. With increasing pressure on commercial organisations to better manage their customers' and employees' identities whilst also driving out cost, biometrics have likely come of age for commercial organisations as well.
The early adopters of these technologies are financial services for voice biometrics and biometric logical access control, and the construction industry for biometric based time and attendance systems. The return on investment in these industries is often shorter than one year; however, other organisations are also likely to see significant returns in the short to medium term.