When building a biometric security solution, there is often a “tug of war” between the security team who is looking to build a “Fort Knox” type of authentication solution, versus the business team whose focus is more on customer satisfaction and ease of authentication. Building a solution that is too secure will potentially block authentication for all, and building a system that is too lenient will potentially invite fraudsters to compromise accounts. The key here is to find a good balance to satisfy both parties while ensuring the user can accomplish what they need to do.
With every biometric roll-out we work on – and there have been many. Check out here, here and here for starters – we integrate all the responsible parties as early as possible to provide feedback and direction to ensure success. We have learned the hard way that the most important part of the feedback is getting everyone on the same page as to what you want to accomplish.
Where did we get this hard learning? Here are cases where we brought in the security team AFTER we signed off on the design of the solution:
The time the security team wanted a 0% False Accept Rate:
“We don’t want any fraudsters to get in, so we have to have a 0% false accept rate.”
If we had educated the security team on the trade-off between security and convenience during the requirements phase, we would have set better expectations as to where to set the operating point of the solution. In my experience, there have been NO examples of any security methods that give you a 0% False Accept Rate, with the possible exception when NO ONE is allowed access, of course. 0% False Accept = 100% frustrated and disgruntled users, which is exactly what happened at this Financial Institution. Naturally, we convinced them to fix it, but this bad user experience could have been avoided altogether.
The time the security team wanted to improve security with a 4-step process to complete enrollment:
“We don’t want to weaken security so it is very important that we step the user through the whole process.”
Four steps are just too many steps. If I need to click on a link or wait for a text message or check my Inbox in order to “activate” a voiceprint, then the adoption rate for enrollment in voice biometrics is definitely going to suffer. (In one case, we saw a 45% fallout rate because callers skipped the last step.) If we learn what processes and policies the security team is looking to implement, then we can come up with a better strategy to secure enrollment without affecting the adoption rates.
The time the security team considered all transactions to be High:
“We don’t want to let anyone in unless we are positive they are the right person”
Typically for low risk transactions (like checking the amount of a utilities bill), the user should not have to give you their SSN, PIN, voiceprint, One Time Pin, (DNA…) etc.… The project team learned this the hard way when they saw customer survey comments:
“I just want a quick and easy way to get my account balance.”
“You know the phone number I am calling from.”
The time the security team considered PIN over Voice Biometrics:
“PINs are every bit as secure as biometrics. Let’s keep the PIN”
In this day and age, with all the security breaches out there and database take-overs, why are we still even considering PIN? Voice Biometrics is more secure than PIN. In one case, a Financial Institution wanted to replace PIN with Voice Biometrics Authentication due to a high PIN authentication fall out rate and high Agent Handle Time for those callers who couldn’t remember their PINs. Because the security team wasn’t involved in design, we had to redesign the solution (scope creep) to KEEP the PIN, as well as add Voice Biometrics as a second factor. Can you guess the end result? The exact same fall-out rate during PIN entry. People just don’t remember PINs anymore.
Of course, these examples are better than when the security team was not involved in the Project life cycle. That resulted in bad design, bad user experience, scope creep and worst case scenario: eliminating any potential ROI that could have been achieved by adopting a more secure solution with voice biometrics.
Lesson learned: absolutely, definitely, without a doubt, bring in the security team as soon as you kick off the Project.