Artificial Intelligence Gets Smarter at Authentication

Editor at Large

In the not-too-distant past and in some places to this day, a customer could go to a bank branch and show a teller her ATM card, type a PIN number, and perhaps show a driver's license to prove she was who she claimed to be. Over time, the teller might recognize the customer with a glance and forgo requesting extra identification.

As more of the bank-customer relationship takes place in the digital world, artificial intelligence — software that can perform tasks that normally require human capabilities such as visual perception, speech recognition and decision-making — is gradually becoming smart enough to piece together all the same clues a person would to recognize another person.

So far, it's happening in fragments.

  • There's software that can take a live photo of your face and instantly compare it with a database of stored photos. USAA, for instance, uses Daon's facial-recognition software to authenticate people with selfies.
  • There's voice recognition software that uses natural language processing to compare snippets of live speech against a database of recorded speech from customers as well as "bad actors." Barclays in the U.K. uses software from Nuance for this purpose.
  • There's iris recognition and vein pattern recognition. Apple has applied for a patent for authentication based on blood flow. Nymi already offers authentication based on heartbeats.
  • Behavior biometrics analyze the way you hold and use your mobile device or computer to determine if you're who you say you are. Transaction analysis monitors account activity for signs of familiar behavior versus an anomaly that might indicate stolen identity.

All these authentication methods can be augmented with other telltale signs, such as device identity, social media profiles and location.
Ultimately, artificial intelligence software will be able to simultaneously consider all of these variables and additional factors to size up the authenticity of anyone trying to open an account, gain access to that account, or complete a transaction. It will continuously learn more about each customer and get progressively better at recognizing all the things that make her unique. And it will be able to do this instantly, without requiring her to jump through too many hoops.

"USAA Bank doesn't have a lot of branches, and they put a lot of emphasis on automated handling of banking transactions through their mobile app," noted Dan Miller, lead analyst and founder of Opus Research. USAA gives customers several options for logging in — they can use Apple iTouch, take a picture of themselves, or use voice recognition. Biometrics combined with AI are intended to simplify the log-in.

"The bank customer is grateful he doesn't have to remember passwords or answer challenge questions in order to do simple things," Miller said. "AI is used in the rules engines that get invoked to allow a customer to go ahead with a transaction because she's calling from home and there are no anomalies. Then if the customer is transferring funds to an account in the Cayman Islands, AI will invoke different rules, to say she'll have to talk to a bank employee or provide additional information first."

The use of AI in authentication coincides with the use of AI to make online and mobile activity more intuitive and personalized, he said. "They go hand in hand because we're starting to recognize you want to make the authentication or transaction authorization as seamless as possible," Miller said. Sometimes this is manifested in a chatbot or virtual assistant that can read questions typed into a text message or a chat window and retrieve answers to basic questions from a database.

A few banks, including Capital One, Citigroup and Wells Fargo, are designing their virtual assistants to respond to spoken questions, so they could work with Amazon's Alexa or Apple's Siri, for example. Such interactions can become part of what the software uses to recognize individual customers.

Tangerine Bank has also combined intelligent assistance with intelligent authentication to let people interact with its mobile app using voice recognition (from Nuance) or iris recognition (from EyeVerify).

"This idea of making a seamless way to interact with banks is the big story," Miller said.

Where AI Makes the Most Difference

Machine learning is most useful in figuring out if a customer is real, according to Sunil Madhu, CEO of Socure. "They can then be provided with some form of identity, whether that's passwords or dual factor or physical biometrics," he said. "The application is making sure you're dealing with a real human being, and that the future transactions or anything from those accounts are authorized."

Machine learning is useful for repetitive tasks like pattern matching — it can look at different sources of data faster than human beings can. In unsupervised learning, decision trees are set up ahead of time to authenticate a person or authorize a transaction. In supervised learning, the software uses machine-learning and statistical algorithms in combination to infer the answers to questions.

"You're training a system by identifying what kinds of data it should look at, applying statistical mechanisms to figure out what of the supplied data are meaningful in terms of correlations to patterns," Madhu said. "Then you can generate decisions on an ongoing basis."

At the time of a transaction, artificial intelligence software can look at users' typical behavior — the way they pay, the devices they tend to use, the way they interact with an application, the way they move their mouse or tap on a screen. The software performs checks that make sure the people are the authorized users of the accounts.

Socure's technology looks at biometrics, social and other online data. It analyzes social media data for "social proof": the fact that as a real human being you're connected with other real human beings, and you behave in certain ways in interacting with them, whether it's through personal or professional networks.

"The fact that that network exists and is interacting with you in a similar manner is something that cannot be faked," Madhu said.

Of course, people can create fake social media profiles and send messages and posts from those fake personas. One estimate is about 7% of Facebook profiles are frauds.

"It would take five minutes for anybody to create a fake profile anywhere," Madhu concedes. "However, to surround that profile with identity proof would require the creation of hundreds of other presumably fake profiles, just to vouch for one. Each one of those others would have to have hundreds of profiles, too. The profiles have to interact with each other the way human beings do. The economic hurdles for a fraudster to do that are very high, and the hurdle for nation-states to do that would be high, too."

The software can also look for sociodemographic patterns in the social interconnections. "Human beings psychologically are birds of a feather flocking together," Madhu said. "A network of twentysomethings probably party together, work together, and maybe come from the same hometown. People have a lot of commonalities to the people they're connected to."

Editor at Large Penny Crosman welcomes feedback at penny.crosman@sourcemedia.com.

For reprint and licensing requests for this article, click here.
Bank technology Social media Fraud detection Biometrics Authentication Analytics M&A
MORE FROM AMERICAN BANKER