Because they cannot be 100% accurate the real issue here with biometric systems is something called Type 1 and Type 2 Errors and the so-called Crossover Error Rate. Voice recognition systems themselves are not necessarily “weak” – so the distinction must be made as to how the particular system that HSBC went live with was compromised.

Biometrics systems will ultimately fall foul of either not allowing a valid person in (a Type 1 Error) or even worse letting a non-valid person in (a Type 2 Error) – which is what happened with the twin BBC reporters.

A clever question when evaluating a biometric solution is: “What’s the percentage of Type 2 Errors on your platform?” (The lower the better.)

The challenge becomes where you then harden the biometric tolerances to the point where you start generating Type 1 Errors because (legitimate) people just can’t log in anymore.

This is the Security vs Usability see-saw incarnate, with the fulcrum in the middle being the Crossover Error Rate. Imagine drawing both Type 1 and Type 2 Errors as line graphs overlaid, the intersection is the Crossover Error Rate, expressed as a percentage – the lower the better. The CER percentage is generally an indicator of how accurate a given biometric product is, and is the yardstick a serious customer such as government, military or financial company will measure it by.