Whilst there are various approaches to creating an invisible user authentication strategy for customerfacing channels, to date none of them come without associated risk, error and inconsistency of behaviour. All have to fall back on a secondary, very visible authentication solution where the primary solution either has insufficient information with which to operate or decides the risk is too great. In many instances the fall-back solution is already weak or compromised. One example is Risk-based Authentication (RBA), where factors such as context, history, location, device and IP address are used to determine if the user that these factors pertain to is who they claim to be. Online Card-not-Present (CNP) transactions are a good example of this technique. Whilst RBA reduces online cart abandonment rates, it can increase chargebacks due to fraud. And in the case of the 3D-Secure protocol for example, it must have a fall-back. Where this is simply a password or PIN, the fall-back itself is easily compromised. RBA is also restricted to certain customer-facing channels only, i.e. it cannot support today’s omni-channel business models, thus introducing inconsistent authentication behaviour based on the channel being used. Other examples are behavioural biometric systems that analyse keyboard and mouse usage, spelling errors, corrections and angle of device amongst others, and systems that attempt to determine the source of telephone calls. As with RBA, they suffer from errors, require fall-back authentication solutions that are typically weak and only work on certain channels. A telephone source-tracking solution can’t work on digital channels and a system that analyses clicks and keystrokes can’t work on a call to a contact-centre. However, another example of unobtrusive authentication, where the initial invisible method is actually the strongest form of authentication available and requires no fallback, is found in contactcentres. Passive or text-independent voice biometrics invisibly authenticates the caller whilst they speak to the contact-centre agent. This can occur with as little as 5 or 6 seconds of speech. Whilst active or prompted voice biometrics can authenticate users on any digital channel, the totally invisible passive form was largely restricted to contact-centre phone interactions.
AI, in the form of speech Bots, is now changing how we interact with not only contact centres, but digital, online channels as well. The proliferation of smart speakers in the home and even in cars has attuned us to using speech as a form of command interface, not keypads. With the advent of cloudbased Communication Platform as a Service (CPaaS) providers, the use of interactive video and audio in web portals is changing the way applications are designed and built. Interaction is key, and the now open standards of HTML5 and WebRTC will lead to the end of static, non-interactive websites for many retail organisations, including financial services. And the User Interface at the heart of these changes is voice, through natural language speech commands and conversational interaction.
Just as we speak to agents or AI speech Bots when calling a contact-centre, so we will be speaking to AI speech bots or even humans when we interact with web sites and apps. And just as we can be invisibly authenticated by a contact centre, so too will we be invisibly authenticated over web sites through speech, achieving the long-held authentication goal of frictionless authentication but without the downsides of risk, error, incompatibility and inconsistency.
