In-app Authentication: Which U.S. Bank or Challenger Does it Best?
User authentication techniques are critical to delivering a secure experience while not frustrating customers. Unfortunately, the most common authentication methods, particularly among legacy banks, increasingly lag the capabilities of fraudsters. But innovative solutions are out there.
By Alexandros Argyriou, FinTech Insights
While a customer’s first login from a new device — the moment when they connect the device to their account and confirm they really are who they say they are — sets the tone for how banks approach security, in-app authentication can be equally make or break.
When in-app authentication feels secure but doesn’t add so much friction that it frustrates customers, it enhances the user experience and builds trust. But if there are security loopholes or, at the other end of the spectrum, too much friction, the in-app authentication process puts customers at risk and makes it harder for them to do what they’ve logged on to do.
Both of the latter are bad news. Research by 10X Banking found that 20% of customers switch banks due to poor customer experiences, while FICO’s 2023 Scams Impact Survey found consumers are, unsurprisingly, more likely to switch banks if they’re scammed.
So, are U.S. banks and challengers living up to expectations?
We used our digital banking research platform FinTech Insights to find out where things stand as of July 2024.
What Is In-App Authentication?
In-app authentication is the process of verifying that the person attempting to perform an action is the actual customer. It confirms the customer’s identity and, so, keeps their account secure, without forcing them to go through the full verification process that’s carried out during the first login from a new device.
The banks and challengers in our sample require in-app authentication whenever, for example, customers make local or international transfers, activate a card, change personal details such as their email or mobile number, change their online banking password, or buy and sell crypto.
Our sample comprised 43 firms: 17 legacy banks, and 23 challengers.
How banks and challengers authenticate customers: key findings
We divided the several in-app authentication methods into three tiers:
- Tier 1 includes widely used in-app authentication methods
- Tier 2 contains in-app authentication techniques that are relatively uncommon, but not especially innovative
- Tier 3 covers in-app authentication techniques that are both unusual and innovative
Tier 1
The vast majority of banks and challengers in our sample use one or more of these in-app authentication techniques:
- About 74% — 16 legacy banks and 16 challengers — send customers one-time codes, either via SMS or automated phone calls
- Around 54% — 9 legacy banks and 14 challengers — offer in-app authentication using card details
- 10 legacy banks and 16 challengers — about 61% — enable customers to authenticate themselves by entering a password
Tier 2
There are five in-app authentication methods in this category:
- One-time password sent by email. 28% of the firms in our sample (7 legacy banks and 5 challengers) offer this
- PIN, supported by 7 challengers and no banks (16% of the sample)
- Personal details (supported by about 12% of our sample — 3 legacy banks and 2 challengers)
- Secure email link (only 4 challengers, around 9% of our sample, support this)
- Authentication via a third-party tool such as Authy or Google Authenticator. Only 2 challengers — Juno and Robinbood — support this authentication method
Tier 3
Each of the authentication methods in this tier are supported by a single firm:
- Memorable phrase, supported by challenger Zenus. The customer records a phrase which they then speak whenever they need to authenticate themselves
- Face recognition, also offered by Zenus. Unlike Face ID, this is performed by Zenus, within the app, and doesn’t rely on the device’s operating system.
- Selfie video, supported by Monzo US. Customers record themselves speaking a randomly-generated phrase. The user can’t use the app until they record the video, and must also verify their identity.
Alongside these authentication methods, some firms in our sample have additional security-enhancing functionality:
- Security ratings, supported by legacy banks Wells Fargo, Bank of America, and Fifth Third Bank. The user is told how well they’ve secured their account, and given suggestions for strengthening its security
- Automatically blocked screen recording, supported by challenger Revolut
- Device list, supported by Charles Schwab and Revolut. The customer can see which devices they’ve logged on with at a glance, and unpair or remove those devices they no longer use or don’t recognize
Legacy Banks Need to Step It Up
Given their reputation for out-of-the-box thinking, it’s no surprise that challengers are a step ahead of incumbents when it comes to in-app authentication innovations.
Despite some outliers offering helpful security enhancements, most legacy banks rely on passwords, personal and card details and one-time codes. Techniques that, while tried and tested, are increasingly susceptible to phishing and social engineering attacks.
Seeing as they have access to the same biometric capabilities challengers are leveraging, it would be interesting to know why legacy banks are so hesitant to adopt them. Complacency? An aversion to trying new approaches for fear of potential consumer backlash should something go wrong? Other risks?
With fraudsters becoming ever more sophisticated, and losses expected to reach $362 billion by 2028, according to Juniper Research, it’s probably far riskier to retain the status quo in in-app authentication than it is to try new approaches.
Alexandros Argyriou is the CEO of FinTech Insights, fintech keynote speaker and influencer. FinTech Insights is the AI-powered competitive analysis platform for Banks and Fintechs. By analyzing the digital banking offerings from banks, CUs, and fintechs, FinTech Insights allows its users to innovate faster, speed up their product releases, and de-risk their product strategy.
