The next generation of user authentication is PIN- and password-free.
By Monica C. Meinert
As the guardians of customers’ most sensitive data, banks are trusted to provide the gold standard in data security. And for most banks, that means a multi-factor authentication process combining passwords with PINs or security questions. But is that enough?
“[Today’s] threat environment continues to escalate—hackers are more sophisticated, hacks are more complex, and the traditional way of responding to that if you’re a bank is to introduce more complex passwords—longer, more characters, changing more frequently—and it makes the digital experience poor,” says Tom Grissen, CEO of Daon, a biometric technology company headquartered in Reston, Va. “Unfortunately, both passwords and PINs are too easily compromised, they’re complex and they’re cumbersome.”
A large part of the problem, Grissen says, is that passwords and PINs depend on authenticating information that’s readily accessible to anyone—things like birth dates, hometowns and pets’ names are all part of an individual’s digital “lifeprint” that they leave on social media pages, public records and other unsecured websites.
Another glaring problem with passwords is that they are static—according to a 2015 study by TeleSign, 21 percent of people use passwords that are over 10 years old. An overwhelming 73 percent of online accounts are guarded by duplicated passwords, making it that much easier for hackers to take down multiple accounts by cracking just one password.
“Passwords and PINs were fine when you had to remember one or two of them, but in today’s world, there are simply too many accounts that require them, and too many rules to follow to make them actually secure,” says Tinna Hung, director of marketing for Kansas City, Mo.-based EyeVerify, a biometrics firm whose technology authenticates consumers by mapping the vein patterns around the eye, allowing customers to login with a selfie. “The same rules that make passwords secure also make them almost impossible to remember, which is likely why the most popular passwords continue to be ‘12345678’ and ‘password.’”
In a recent speech, Deputy Treasury Secretary Sarah Bloom Raskin highlighted the need for ongoing innovation in customer authentication. “Firms need to develop better solutions, taking into account user behavior,” she said. “System design is evolving to deal with the authentication challenge presented by stolen or easily compromised passwords: the next generation of online identity verification looks to combine what customers know and have, with what they do, or behavioral biometrics.”
A human approach to authentication
“Biometrics rely on something you are, rather than something you know,” Hung explains. “A well-implemented biometric solution (one that relies on a complex data set, is fully encrypted, and, we would argue, is stored on a device) provides a convenient authentication solution that doesn’t sacrifice security.”
The idea of using biometric authentication has been around for years, but it got a major lift in the days following 9/11, when the U.S. and other nations—needing a better way to secure borders and critical infrastructure—began exploring biometric solutions more aggressively. “Government really drove the adoption of biometrics faster than what would have occurred without those events,” Grissen notes.
Daon—whose board includes former Homeland Security Secretary Tom Ridge—has been heavily involved on the government side over the last decade, helping nations develop technologies to manage border security and immigration, among other things. Now, thanks to the ubiquity of smartphones—many of which now come equipped with cameras, fingerprint sensors and other technologies—“we took our technology that we had been using to protect countries and brought [it] back to the consumer,” Grissen says.
Biometrics are probabilistic in nature; as opposed to a password entry that is either right or wrong, the algorithms that power biometric systems calculate the probability that the fingerprint, face or voice being presented is a match with the fingerprint, face or voice that it has on record for the user. Also unlike passwords, biometrics can be affected by environmental conditions—if you’re in a crowded area, for example, you may not achieve optimum success with voice-recognition, or if you’re in a dark room, facial recognition may be affected by shadows.
That’s why Grissen believes it’s important to provide options for customers to authenticate themselves using the method that works best for them. “The goal is to be inclusive,” he says. Daon’s IdentityX platform, for example, allows users to authenticate with either a fingerprint, their voice or their face. And down the line, consumers can expect to see a whole new wave of “behavioral biometrics” emerging—things like keystroke dynamics or even the way a person manipulates the mouse on their computer that can be paired with physical biometrics to add even more security.
“A well-implemented biometric solution will fit naturally into the regular flow of user behavior,” Hung adds.
And when it comes to stopping fraud, it goes without saying that a biometric defense is superior to a knowledge-based one.
“If you’re a fraudster, you first would need to steal the phone, unlock the device, impersonate someone’s biometrics, defeat the anti-replay technology and do so in a way that didn’t trigger any flags in the risk engines of the financial institutions,” Grissen says. “And you’d have to do all that before the consumer realizes they don’t have their phone.” What’s more, he adds, is that the underlying technology is constantly evolving. “In the last year, our algorithms have increased their accuracy by 50 percent. One of the beauties of biometrics is that there’s a constant innovation that makes the algorithms better.”
Bringing biometrics to banks
Today, biometric companies like Daon and EyeVerify are partnering with bank and financial services providers of all sizes all over the world, helping them integrate biometrics into their security programs. EyeVerify, for example, works with Digital Insight, a company owned by NCR Corporation, to bring biometric authentication to banks through the mobile banking capabilities it provides. The company is also in the process of incorporating its Eyeprint ID product into Wells Fargo’s CEO Mobile iPhone app for the bank’s corporate customers.
In 2014, Daon added San Antonio-based USAA Federal Savings Bank to its list of clients. USAA is known for delivering a primarily online and mobile banking experience to its 10.7 million military members, veterans and their families.
“USAA’s membership expects us to facilitate not only convenient access to their accounts, but also to live up to the trust they place in us,” says Richard Davey, lead information security adviser for USAA, adding that incorporating biometrics was a natural extension for the bank.
“Fraud by nature is an ever-moving target,” Davey says. “The concerns arising from the ever-present threat of phishing, malware and information exposure from outside [data] breaches means that authentication and access controls will always be threatened. [T]echnologies like biometrics mitigate those threats while facilitating beautiful end-user experiences.”
USAA is widely known as a leader in mobile banking—in 2009, the company was the first U.S. bank to offer mobile check deposit. As an early adopter of biometric authentication technology as well, USAA incorporated fingerprint, voice and facial recognition into its existing “Quick Logon” capability for mobile banking, which was already using PIN and soft token technology to securely validate customers.
The bank rolled out the technology in stages—first to employees, and then to its San Antonio market, expanding to Texas and California before launching full-scale in January 2015.
The response was instant.
Within three weeks of the launch, more than 100,000 customers had completed the enrollment process to use biometric authentication—an average of 2,000 people per day. Within ten months, that number had grown to more than one million.
“The adoption of biometrics has been very rewarding—those with the right technology embraced the solutions almost immediately,” Davey says. “Fingerprint-based solutions tend to dominate the adoption, largely due to the convenience and familiarity to the end-user.”
It’s all about the experience
Hung believes there are two key drivers behind the biometrics movement. “The first is the failure of passwords. The second is the move to mobile,” she says. “Consumers expect to be able to do banking on a mobile device, and they are expecting it to be both easy and secure. Biometrics can help banks meet customer expectations.”
“It wasn’t too many years ago where the number one measure of convenience for a bank was the proximity of the branch to the home or office. Now, the number one measure of convenience is the digital platform,” Grissen adds. “Digital strategies are fundamental to every bank, and if you have a great mobile or digital app but you make authentication cumbersome or frustrating, you don’t drive adoption.”
For the past several years, USAA has dominated the financial industry with Net Promoter Scores between 75 and 80—putting it among the ranks of Apple, Amazon and Southwest Airlines in terms of customer satisfaction. And while there are a number of factors that play into that ranking, the digital experience is a crucial component to USAA’s consistently high performance. “An end user’s experience of a technology is directly tied to their expectations of and relationship to that organization,” Davey says. “Combining security and convenience is always a goal for USAA.”
With authentication systems in particular, balancing security with convenience is a tough line to walk. For knowledge-based systems, added security means more frequent password changes, tougher security questions, or additional steps in the authentication process. But myriad security questions or forgotten passwords can frustrate customers or, at worst, cause them to abandon their activity altogether.
“If you come up with a security enhancement that customers resist, it’s all for naught,” Grissen says. “Unless you can find a way to make it more convenient, it’s a short-term, dead-end strategy.”
Biometrics solves the “security versus convenience” question by providing a highly secure method of authentication using unique identifiers that customers always have with them. For banks looking to exceed consumer expectations in both those areas, Grissen and Hung say biometrics will be essential in the years ahead.
“Biometrics solutions will continue to get faster and stronger, and they will certainly be part of the gold standard for bank security, but they won’t be the only component,” Hung says. “I expect to see the increased use of biometrics along with other passive contextual factors in a comprehensive, multi-factor solution with different levels of authentication required for different levels of risk.”
“To not have these technologies is a disadvantage,” adds Grissen. “I think that in 2017, it will be even more acute if you don’t, because people are so anxious to get away from passwords.”