Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

To date, authentication measures based on the third authentication factor, biometrics, appear to be rare in the fund industry. That said, at least one fund group has begun to use biometrics, specifically voice recognition, for certain retail shareholders who seek to engage in transactions over the telephone. The voice verification system in question is designed to permit shareholders to conduct a range of transactions (including some transactions for which a fund group might otherwise require signature guarantees or notarized signatures) and to conduct these transactions more expeditiously.¹ Representatives of the fund group have publicly described the extensive development and testing of the system, and have provided insight into some of the issues faced and addressed by the voice verification system.²

Other fund groups consulted for this study have reported considering the use of biometrics for telephone transactions. Some have suggested that the additional security provided by such measures was outweighed by the significant development and implementation costs.

It does not appear that any fund group has yet adopted biometrics for online transactions. Historically, one potentially significant barrier to biometrics in the online environment is the need for participating shareholders to have access to the requisite computer hardware. In the past, authentication based on fingerprints or on iris or retinal patterns might have required a fund group to provide participating shareholders with a fingerprint or eye scanner. Some observers have predicted that in the future, biometric authentication through the use of smartphones and other mobile devices will become increasingly common.³ Indeed, a number of smartphones made by Apple, Samsung, and other companies offer fingerprint authentication, and one new smartphone even has a built-in iris scanner.⁴ Some financial institutions have reportedly already begun to permit customers to log into their websites using a smartphone’s fingerprint authentication.⁵

While measures based on biometrics may provide reliable authentication of shareholders, they are only as good as the initial authentication of shareholders seeking to employ such measures. In other words, a given shareholder’s identity must be reliably confirmed when he or she signs up for biometric authentication in the first instance. Thus, for example, if an impostor were to seek to authorize the use of biometrics for a shareholder account and were to provide his or her own voiceprint or other identifier in this initial authorization process, the impostor would presumably thereafter be able to sign in and effect transactions in the shareholder’s account (and the actual shareholder might be unable to access that account).

1. See Voice Verification, Vanguard website, https://personal.vanguard.com/us/XHTML/com/vanguard/retail/web/vbio/selfprovisioned/xhtml/VoiceBioSelfProvisionedJumpPage.xhtml (last visited on July 9, 2014).
2. See, e.g., Presentation by Advait Deshpande, Sr. Manager, Retail Client Service Group, The Vanguard Group, at the Voice Biometrics Conference 2012 – New York City (Apr. 9, 2012), available at http://www.voicebiocon.com/vbc-nyc/ADeshpande_day1_vbc2012.pdf.
3. See, e.g., Brett Baranek, Biometrics on the smartphone: The future of mobile authentication, Nuance (Feb. 10, 2014), http://whatsnext.nuance.com/customer-experience/biometrics-smartphone-future-mobile-authentication/; Larry Barrett, 30 percent of companies will use biometric identification by 2016, ZDNet (Feb.4, 2014), http://www.zdnet.com/article/30-percent-of-companies-will-use-biometric-identification-by-2016/.
4. See Edwin Kee, Fujitsu Arrows NX F-04G Smartphone Has an Iris Scanner, UBERGIZMO (June 16, 2015), http://www.ubergizmo.com/2015/06/fujitsu-arrows-nx-f-04g-smartphone-has-an-iris-scanner/.
5. See John Leyden, iBank: RBS, NatWest first UK banks to allow Apple Touch ID logins, THE REGISTER (Feb. 19, 2015), http://www.theregister.co.uk/2015/02/19/natwest_mobile_banking_touch_id.