How many times per week do all of us get asked for a password we can’t recall correctly? Everyone who does anything digitally understands this annoying problem.
There is no getting around it: Passwords are hard to remember and hard to use. “Did I capitalize it?” “Is this the same password I used for my email?” Companies, including financial institutions, make the situation worse by requiring complex passwords, and then demanding that they be changed at regular intervals. No wonder that index cards taped to the bottom of a laptop persist as a popular solution.
And it’s not just consumers who are frustrated by this password nightmare. Financial institution call centers spend an inordinate amount of time helping customers reset their passwords. “Passwords are a huge help desk problem,” says Hal Lonas, CTO at Trulioo. 30% to 50% of help desk calls are about passwords, he says.
This is Nuts:
TD Bank marketers, recognizing the craziness of passwords, created a funny TV ad promoting their mobile bill pay app as a way to avoid having to remember multiple passwords for separate billing sites.
But password help is on the way — sporadically — as biometrics become the standard for securing access to computers, applications and websites. After all, millions of people have become used to opening their mobile phones with a fingerprint scan or facial recognition, two of the better known forms of biometric recognition.
The Promise and Challenge of Biometrics
“Biometric authentication is no longer just a futuristic item from the movies,” write Kaoru Yano and Ant Allen, analysts at Gartner. “Today, we unlock our smartphones and tablets with a finger or face many times a day. Eliminating passwords has been a longstanding goal, but this is only recently achieving real market visibility,” they add.
Replacing passwords with biometrics would seem an obvious way for banks and credit unions to improve user experience, but not so fast, warn the Gartner analysts. The user name/password combo might be clumsy, but at least it’s familiar. Eliminating them can “confound people’s expectations, make them uncertain about login security and reduce UX/CX.”
Perhaps biometrically assisted log-in will require its own set of FAQs to assure users that yes, this is a legit site and here is how the biometrics work. The ubiquity of mobile phone use should help.
Nick Maynard, lead researcher at Juniper Research, says that fingerprint sensors on mobile phones are still the most popular form of biometrics, although they are gradually diminishing as facial recognition becomes popular.
“While facial recognition has been challenging during the pandemic with mask wearers, it is easy to deploy, at least in its basic software-based level,” says Maynard. “Over time, we’ll see more devices incorporate hardware-based facial recognition that is more robust.”
Hardware-based facial recognition is better than software alone, according to Maynard. New iPhones have hardware that can conduct more sophisticated checks. Beyond just working from a few points on your face, hardware can determine depth and tell the difference between a real face and an image of a face.
“The advantage of software-based facial recognition is that any phone with a front facing selfie camera can do it,” Maynard notes, “but if you don’t have sufficient hardware like Apple’s, it is quite easy to spoof. He thinks more financial institutions, as well as other companies, will move to hardware-based facial recognition incorporating artificial intelligence, which can check to make sure the image is actually of a live person.
“If you are onboarding to a bank account using a selfie and a government ID, it can check the validity of both to make sure the elements are secure. There is risk, but the technology is pushing ahead,” Maynard adds.
- Banks and Credit Unions Must Take Digital IDs Seriously Now
- Pivotal Identity Trends That Will Reshape Payments & Retail Banking
- Mobile Banking Apps Failing in Key Areas of CX
Pros and Cons of Various Biometric Approaches
While the fingerprint reader in a distinct circle below the screen may have gone away on most smartphones, on many Android phones the reader is still there, hidden beneath the screen so as not to disturb the display.
Fingerprints obviously aren’t going to work when someone is wearing gloves, but fingerprint readers can also be confused by greasy fingers. Roger Grimes, a columnist for CSO, says fingerprints are not the unique identifiers many believe.
“At my full-time company, we have only about 700 employees,” Grimes writes in a blog. “Already, we have several ‘matches’ that require the additional match employee to use different fingers than the original person in an attempt to find a ‘unique’ fingerprint.” That could be fixed if the fingerprint reader were better tuned to be able to see the true differences, says Grimes, but it would end up causing far too many false-negatives and false-positives.
Iris scans, which were particularly favored by Samsung devices, have declined in popularity as facial recognition gains ground. They are used at airport security checkpoints, however, as part of the Clear system.
People can change passwords, but they can’t change their biometric identity. It’s critical that regulations be in place for the security of biometric data as it becomes widely used.
Voice recognition is already being used in financial services for identification, but it hasn’t caught on much in other businesses. Experts see a role for it in both banking and e-commerce, especially for people using smart speakers like Alexa. Fidelity, for example, already uses voice ID, asking customers to record a voice sample which is then used to authenticate the person when they call the investment company.
ACH Alert, acquired by online and mobile banking software provider, Alkami, uses AI and a voice print stored in a mobile phone to fight ACH fraud. As described in a company document:
“The customer dials the 800 number stored in their phone and the hosted interactive voice response system begins recording, prompts the customer to enter an authorization code and repeat a random phrase to authenticate the caller. Once authenticated, the customer can verify or reject suspect wire transactions instantly.”
Amazon’s Pay-By-Palm Foray Stirs Interest
Another biometric technology showing new promise is palm scanning. “You can use infrared sensors to find the patterns of veins in a person’s palm and that is unique to them,” says Jupiter’s Nick Maynard. Amazon, which had been exploring the use of palm scanning, launched the Amazon One service in several of its Amazon Go stores in the fall of 2020. The service lets consumers pay for items by holding their palm over a scanner for a few seconds.
The first time shoppers use the system, they have to insert a credit card to link it with their palm print, according to CNBC. Amazon expanded the service to one of its Whole Foods stores in April 2021 and plans to roll it out to other locations.
Although the Amazon moves are more of retailing and payments development, they could spur greater use of biometrics in other areas of banking including branches, ATMs or for online authentication.
Once the technology is proven the next step is consumer acceptance, says Trulioo’s Hal Lonas. “Consumers want safety and security, and they also appreciate speed, so it is a balancing act,” Lonas observes.
Lose your balance, however, and you could lose the consumer. A Trulioo survey found consumers abandoned a signup process because it was too intrusive or too time consuming, or because they didn’t trust the company asking for information.
As William Gibson wrote years ago: “The future is already here — it’s just not evenly distributed.”
Something similar could be said about biometrics in banking.