For financial institutions, one of the primary goals of digitization is to improve the simplicity of banking. In an effort to improve the user experience, one of the stumbling blocks has been the password authentication process needed to access mobile banking. Combining the need to improve the security of accessing accounts due to increased data breaches, with a desire for greater ease of use, is a difficult balancing act.
At the root of the problem is that the more services we use, the more passwords we’re forced to remember. It’s not the passwords themselves that are the problem, it is the scale at which people have to manage and remember usernames and passwords. It’s simply too much. In fact, it is expected that within five years consumers will have, on average, over 200 accounts requiring passwords.
Managing an increasing number of passwords is becoming a challenge for almost all digital consumers. In response, consumers have taken a number of different paths.
- Using the same passwords for all accounts. Obviously the worst of all options due to the “domino effect,” allowing all accounts with the same password to be breached.
- Using different password variations. This combines a perceived increased level of security with a relative ease of use.
- Using technology to generate or save strong passwords. The most secure of the options, but the most cumbersome from the user perspective.
According to a research study done by Telesign, 73% of adults in the US and UK use the same password for everything. In addition, more than half of consumers (54%) use five or fewer passwords across their entire online life, while 22% use just three or fewer. Finally, almost half (47%) of consumers rely on a password that hasn’t been changed for five years.
The problem is that even with the best of systems, password authentication doesn’t scale well. The more digital services a consumer uses (even beyond banking), the more passwords they’re forced to remember. Even if only a few passwords are used with slight variations, it is difficult to keep up with which account goes with which variation. The result is the tedious “forgotten password” function, which often requires the creation of an additional password.
The response by banks and credit unions should not be to relax password standards. So what are our real options to safely and securely authenticate people and protect their sensitive information? There are an increasing number of alternatives being introduced every day. In Smashing Magazine, author Drew Thomas points out some of the options available today.
Traditional Username/Password. The most understood and trusted method for most people, this also tends to be the least secure because of how people create and remember passwords. In addition, when a password is forgotten, the process of recovering a forgotten password is often not user friendly.
Passphrase. Passphrases are both more secure than passwords and they’re easier to remember. The challenge is that more typing is required which can be difficult on a mobile device. Simple has used passphrases since the mobile bank’s inception.
Two-Factor Authentication. In this option, after a username/password combination is verified, a unique code or URL is either emailed or texted to the person trying to sign in. Google uses this option which works as long as the consumer’s phone is nearby.
Social Sign-In. Uses a third-party service or app with Facebook, LinkedIn or Twitter. While simple to use, the user needs to have a social media account, trust social media and not work in an environment that may block social media sites.
Passwordless. The person signing in only has to remember their username, email or phone number, and they receive a unique code to complete the sign-in, with no password needed. The code sent expires quickly or after use.
Biometric. The use of fingerprints, retina scans, facial recognition, voice recognition and more is where authentication seems to be heading. The most common example is Apple’s Touch ID. While the majority of progress in this space is with mobile devices, hardware for computer use, etc. is catching up.
Connected Devices. This uses a pre-established Bluetooth (or similar) connection from one device to another that has already authenticated someone. For instance, using your phone to authenticate use of computer online banking.
No matter what process is used, we need to reduce friction in the sign-in process. While there are a number of options in theory, nothing has established itself as the new standard for digital security. The key is that people want to feel secure while signing in, and they need to know that their information is secure. If we push authentication too far, users won’t trust it.
The Move to Biometrics
Paul Lee, head of technology, media and telecoms research at Deloitte, said that using fingerprints to access email, online banking, streaming services such as Spotify and Netflix, and newspaper subscriptions would help consumers overwhelmed by the number of passwords they have to remember. “You can share a password but not a fingerprint,” said Mr Lee.
In the report, A World Beyond Passwords, Deloitte said that while fingerprints had taken a long time to gain traction, the technology had taken off during the past three years. The company interviewed 4,000 people and said that 31% of 18-24 year olds were using the fingerprint scanners on their phones, compared with 8% of those aged over 65. Deloitte predicts there will be one billion smartphones with fingerprint readers in use by the end of 2017 and that the technology will spread to cheaper models.
Big banks increasingly are offering customers the option of using fingerprints, voices, retina scans and other biometric technologies to access their accounts instead of passwords. Convenience for consumers and better security in a time of rampant data breaches are fueling the switch.
Biometric authentication is “difficult to mimic and easy for people to use,” said Tom Trebilcock, senior vice president of digital at Pittsburgh-based PNC Bank, where customers with Apple iPhones equipped with Touch ID have the option of ditching passwords for fingerprints. “Looking out years from now, I expect the days for passwords are numbered,” he said.
While PNC offers fingerprint access to mobile banking customers to check balances and perform most other mobile banking transactions, they must use passwords when transferring money out of their accounts, such as when paying bills. Some banks are also employing geolocation tracking combined with biometric security. If an account holder’s phone is out of its normal range, a password is needed to access the account.
Industry Example: USAA
In the 50-page report, Digital Banking Security: Biometrics Move Center Stage, Mapa Research explores trends and developments in biometric solutions that banks around the world have adopted. They take a close look at fingerprint scanning, which is currently the most popular and widely used biometric authentication technique, and one that has been rolled out by many banks globally in the last 12 months.
Mapa Research also looked at some of the first movers offering facial and voice recognition technologies in their 31-page report, Security and Identity: Balancing Security with Identity. In the report, Mapa found that six of the seven UK banks reviewed offer fingerprint authentication through their mobile banking app. The rollout of other forms of biometric authentication, such as voice and face recognition, has been somewhat slower among UK banks.
Most of the main providers in the US and Australia have also integrated fingerprint authentication into their mobile banking apps, according to Mapa Research. In the US, several providers have gone further and rolled out other forms of biometric authentication. For example, Arizona Federal Credit Union and Mountain America have launched Eyeprint ID, a software-only solution that verifies customers by using the camera of their smartphone to capture their unique eyeprint. User data is protected with a high entropy encryption key – equivalent to a 50-character complex password.
USAA pioneered the adoption of facial recognition technology to mobile banking in February 2015 by introducing voice and face biometrics for customers to gain access to it’s app. Customers can activate the capability by going to the Quick Logon option within Settings and Profile in the mobile banking app. Face and voice recognition can then be selected before the customer electronically signs the terms and conditions.
To activate voice recognition, the customer must record the statement “My identity is secure because my voice is my passport. Verify me.” three times. This statement then needs to be said aloud when logging in.
Face registration is done by taking a picture before it is registered. During login, blinks are monitored for verification. This aspect helps to counter fraud, as a picture or video of a user would not be able to blink at the right moment.
The bank also offers fingerprint recognition to the biometric options available for logging in to its mobile banking app. Customers have the option to log in to the app using their preferred biometric method – face, voice, fingerprint or by entering a PIN. Apart from the biometric options for login security, the bank also uses device identification in the background, where an encrypted token is sent from the device to USAA which is then matched against the ID of the device registered at enrollment.
Even biometric technologies are not failsafe – many are difficult to spoof but are not spoof-proof. Having multiple, cascaded gatekeepers fortifies security by requiring additional checkpoints. The more different proofs of identity required through separate routes, the more difficult it is for a thief to steal a consumer’s identity or to impersonate them. Likewise, consumer platforms are paving the way by providing improved user experience by empowering consumers to choose how they access digital information.
According to Deloitte, one of the most intriguing possibilities in new access controls is risk-based authorization, a dynamic system which grants access depending on the trustworthiness of the user requesting admission and the sensitivity of the information under protection. This option uses machine learning to authenticate users based on multiple assessments of their behavior. Using sensors such as the camera, accelerometer, and GPS functions, smartphones can gather a wide range of information about users, including typical facial expressions, their habitual geolocations, and how they type, walk, and talk.
Together, these factors are 10 times safer than fingerprints and 100 times safer than four-digit PINs, says Deloitte. With such capabilities, a user’s phone, or another device, can constantly calculate a trust score – a level of confidence – that the user is who he claims to be.
An Important Step in Digital Transformation
Technological advances are giving financial services organizations the opportunity to begin moving beyond passwords. Given the poor user experience associated with passwords, rising costs, and the security weaknesses, banks and credit unions should look into migrating to new digital authentication systems that meet the twin objectives of tightening protection and improving user experience.
According to Deloitte, “Organizations can begin their journey by starting to invest in non-password-based authentication solutions now as part of their digital transformation efforts, such as the rapid adoption of software-as-a-service platforms and omnichannel customer engagement initiatives. These new solution areas can serve as the foundation for broader enterprise authentication initiatives, which may take time.”
While passwords may continue to be the standard for some time given legacy platform constraints and technology limitations, the integration of non-password authentication options should be part of every organization’s strategic priorities before another major breach forces the industry to act unilaterally.