Passwords Are Dead: Biometrics And The Future of Banking Security

Voice biometrics, fingerprints, iris scans, and other authentication options are beginning to replace passwords as a means to verify a user's identity and simplify the login process when banking online or via a mobile device. The key is to provide enhanced security against hackers while improving the overall user experience.

You are one of a kind.

Your fingerprint, heart rate, eyes, gait, online behavior, even the way you hold your phone…these attributes are all unique to you, and this certain truth is ushering in a whole new era of biometric security.

App designers and developers are awash in a sea of biometric data and moving full speed ahead to understand this brave new world. From Apple’s TouchID to Nymi’s heart rate technology, improvements to user authentication present tremendous opportunities & challenges for financial institutions and their customers and we have no choice but to move forward as technologie forges ahead.

My company has spent hours and hours testing various types of biometric safe guards on users, with a variety of financial institutions. While our testing and the world of biometrics is in infancy, we’ve already verified some compelling initial findings. While users are getting accustomed to Apple’s TouchID, we’ve found that there are actually several other viable options for security, each with their own pluses and minuses.

Whether you ultimately decide to use Apple’s solution or go with something different (and potentially more secure), one key consideration is the design of the experience. It’s not about the modality of operation. In our tests, we found that voice, facial recognition, heart rate, etc. can all work well if they are designed to guide and educate the user properly.

Here are some of our key findings:

Friction Matters

We train product designers to be meticulously focused on simplifying the user experience. Each extra step or additional choice that users encounter when using a product can cause potential frustration and ultimately lead to customer attrition.

However, while we’ve found that moving towards simplicity is generally the right choice, there are exceptions. Sometimes over-simplifying a process confuses the user, especially if you simplify a process with set steps that users have already performed many times. Also, we found that for many users, authentication is not an annoying roadblock, but rather, a ritual that validates the financial institution’s respect for user information.

Recently we worked with a large bank to help them figure out the best method for replacing passwords. Initially, we worked tirelessly to make the authentication as seamless as possible. In this instance we designed an experience where facial recognition would work behind-the-scenes and let the user know that they had been authenticated after the fact. While certain users found this to be extremely convenient, others felt that their security wasn’t being taken seriously enough.

Doing this work gave us a new perspective on how users from companies that take care of extremely sensitive information view security. For these companies, many users look at security as a sacred ritual, so by reducing friction and simplifying the process, we inadvertently tampered with the trust between the organization and its users.

In other cases, reducing friction is paramount, and when done right, can amount to wild success. “We need something to make the ordering system frictionless. We need to make it so that the customer can order products with the least amount of effort. They should be able to click on one thing, and it’s done.” These are the words of Jeff Bezos, founder of, describing to his developers what he envisioned for One Click. Obviously Jeff’s intuition was spot on and the rest is history. When it comes to converting sales, a frictionless interface is key.

Equally important is the ability for these newly developed, frictionless products to function seamlessly with one’s already existing system. Many of the biometric bands still have huge hurdles to cross in this area. Many of these bands, like the Nymi, promise a huge decrease in friction: just wear the band, and you gain access into websites, hotel rooms, and wifi networks without doing a thing.


Nymi Wristband uses your heart rhythm as a password

However, for most users, procuring and wearing these bands ends up being far too much work for the potential benefit. Sure, these bands may work if you manage to get your hands on one, but less friction becomes irrelevant if your product isn’t readily available and properly integrated with the plethora of devices that already being used by most users. It’s probable that companies like Nymi will will need to integrate their technologies into phones or other wearable devices that offer benefits beyond digital security in order to have their frictionless products make a significant impact on the marketplace.

In the End… Nothing is 100% Secure

Financial institutions know this best: nothing is 100% secure. Picking the best solutions available are all we can do for the time being. We must accept the scary fact that it all can be hacked; none of these technologies are foolproof.

As a leading web and mobile application agency, we know this better than anyone. When it comes down to it, security is just a never-ending war between good guys and bad guys, with each side stealthily inching ahead of the other by a few millimeters, before the other catches up and figures out a new trick.

The optimist in me calls this a form of progress, but that’s really just an euphemism. Yes, there are some solid security solutions that are relatively effective, like TouchID and various other compelling/secure ones that use iris scanning, but reality is that even these are pretty easy to hack and none of them are foolproof, to date.


PayPal using AppleID fingerprint authentication

For banks that require industry-leading security, the best bets are multi-modal security solutions (that use a few different forms of biometric validation). These deliver enhanced security and also guarantee performance in the face of random user data change (ie. someone gets a cut, grows a beard, becomes a pirate or burns their fingerprint).

Focus Design Energy on Enrollment

Biometric security requires both a complex and intensely personal enrollment process: you are asking users to trust you with their fingerprint, face, voice, heart rate, etc. We found that whether or not your organization is actually storing this information is irrelevant to the user – as far as they’re concerned, you’re asking for this data, so therefore you have access to it.

While the frequent biometric handshake between you and your users is going to have less friction, the enrollment process is going to need more, to ensure that users feel their security is being taken seriously. Smart designers will divide their interface choices into two segments: required interactions and user education.

Required interactions involve the task or series of tasks users need to perform in order to provide the information required for biometric enrollment. You will need an intuitive and disarming way to get users to give you the requisite data. For instance, we found that the best way to get users to put their faces in the right position for facial or iris recognition is to ask them to “take a selfie”. When presented with the process of facial recognition enrollment as tantamount to “taking a selfie”, users instantly knew what to do (though we had to overcome a little hesitation from those users who find the idea of selfies to be repulsive).

User education is a two-fold process. First, designers need to teach the users how to enroll and repeatedly use the technology. Next, in many cases, designers need to teach users why this new form of seamless authentication is more secure. There are a few ways to impart this information without cluttering the user experience.

For example, we experimented with text prompts over the user’s camera image, that described the benefits of facial recognition. We also used a Siri-like conversational experience to achieve the same goal for voice recognition. Both these methods delivered the information in a seamless fashion and successfully imparted a positive perception of the new procedure to the users. If your users are educated appropriately, their appreciation for this new form of security can be a huge trust-builder, and in an era when security hacks dominate technology news, building trust cannot be overemphasized.


ANZ ‘My voice is my password’ biometric test

Security as Recognition

One of the most interesting discoveries in our testing was that, in certain cases, biometric security methods can make users feel seen or recognized. Your friends recognize you by your face and your voice, not by a password. Can systems become more friendly by using intelligent biometrics, if they stay clear of the uncanny valley?

I’m not suggesting that biometrics are going to turn your faceless organization into your favorite barista at the neighborhood cafe, but, we did find that faces and voices made authentication feel a little more personal. This is one of those things that at worst, could become very creepy, but if done correctly, could present designers with an challenge to personalize the user’s experience just a little bit more, and in a digital world where opportunities for real personalization are so rare, this concept is certainly worthy of further exploration.

Prove Biometrics Are Better Than a Password

As you begin to integrate biometric security, please don’t assume that this brave new world of iris scans and fingerprints is inherently better than our current solution. We tested lots of biometric prototypes and found that many actually created a user experience that was undoubtedly inferior to the creation and use of the simple password.

Of course, several of the prototypes we tested were much, much better than the password, which pointed up the idea that it will continue to be tremendously helpful to test every new solution against the current baseline in order to assess whether or not it would make a marked improvement on tried and true methodologies. If you test new solutions against other new solutions, you may end up missing useful lessons.

Password authentication has had time to evolve, and many of the conventions we have learned by testing this standard practice are going to stand the test of time.

Publisher Postscript – USAA Facial and Voice Recognition

USAA members residing in the US will soon be able to log into their accounts through mobile devices using biometric recognition. This will make USAA the first U.S. financial institution to offer facial and voice recognition on a mobile app as added protection against fraud and identity theft. USAA’s facial recognition requires users to look at the screen and, when prompted, blink their eyes. For voice recognition, users must read a short phrase.

This extends the mobile app’s multifactor authentication options to include a unique PIN, face and voice recognition – all of which work in conjunction with a security code generated by the app for each login. Multifactor authentication uses a minimum of two factors of identification to add another layer of security.

“USAA is committed to cutting-edge solutions to make our members’ financial transactions as secure as possible,” said Gary McAlum, USAA’s chief security officer. “The use of multifactor authentication through biometrics is one of the most effective ways to increase security protection as traditional passwords become increasingly obsolete.”

The new option will be available through an update to the USAA mobile app for iOS and Android devices. Also, USAA plans to test the use of fingerprint identification to log in to the organization’s mobile app.

Sandeep_Sood100Sandeep Sood is the CEO of Monsoon, a firm that designs, develops and markets mobile and web applications that help business thrive in a connected world. His firm has worked with companies such as Wells Fargo, Capital One, Guardian Life, and Citigroup to help them get their ideas off the whiteboard and onto people’s devices.  He has spoken at SxSW, TED and TiE. Sood is also the founder of RainFactory, a technical marketing agency that has launched a few of the largest crowdfunding campaigns to date. You can connect with Sandeep on LinkedIn or Twitter.

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.