By Brad Powell
In the banking and financial service space, biometric authentication is quickly becoming the principal form of mobile authentication. Instead of requiring a password, more and more apps use physical or behavioral characteristics to allow customers to access and manage their money.
Your first response might be: “I already knew that. The big banks have been doing this for a few years now!” Indeed. Biometrics have been around for more than a year at some larger providers, but the rate of change is fairly rapid.
Before we address what’s next, let’s quickly summarize where biometric authentication has been.
The Rise Of The Thumbprint
“Basic” biometric authentication usually comes in the form of thumbprint or facial recognition. Customers press their thumb on a mobile device’s “home” button or snap a photo of themselves to log in.
The growth of these methods can be attributed to a few interconnected factors.
First, and most obviously, there are now more mobile devices on the planet than human beings. Second, Federal Reserve studies have been showing 33 percent annual increases in U.S. adults who use mobile banking services to manage their money over the last two to three years. That number is likely higher globally, as Asia is the world’s largest continent and wholly mobile-first.
Smartphone users say their top concern when it comes to mobile banking is security. “60 Minutes” addressed this topic last spring. If you watch that report, you might be terrified by the sequence that shows a group of hackers sitting around a table calmly lift individuals’ credit card info from their phones. All they needed were phones that had the ride-sharing app Uber installed.
Major banks such as Bank of America, JP Morgan Chase and Wells Fargo all have rolled out some form of biometric screening for log-in in the past few years. USAA has been one of the early actors in making “selfie security” available — users start the login process by taking a photo of themselves, and facial recognition software handles the rest.
Adding biometrics was a logical step for banks and credit unions anxious to address security concerns. But they reaped a secondary benefit: improving customer experience.
No customer enjoys remembering all of their various passwords for the apps and web services they use. Social login — authentication through social media accounts such as Facebook or Google — became popular in the past five years for this very reason. So it’s no surprise that biometric authentication has become popular for its ease of use.
What’s Next?
Thumbprints and “selfie security” are likely just the start when it comes to biometrics. Developing security methods that banks and credit unions could start using soon include:
● The Iris Scan (sometimes mistakenly called a “retina scan”): Banking apps could require you to scan your iris, as if you’re living in a Tom Cruise movie, to access your accounts. The Samsung Galaxy Note 7 had iris-scanning technology and may have helped spread this form of authentication before its well-publicized recall. Iris scanning is considered one of the most secure forms of authentication.
● Voice Authentication: On its own, voice authentication can be problematic. Background or ambient noise can make matching voices difficult. But voice may be used with other forms of authentication for a secure login — more on that below.
● Geo-Fencing: Apps could use GPS and only allow users to log in from somewhere in the phone’s “normal” range. Banks also could place a geo-fence around their branches or headquarters so employees only could access the app from there.
● Increasing Use of Two-Step Authentication, already familiar to many users of Google or SMS. This method is becoming more common, and, as the name implies, requires users to use two forms of authentication.
● Heartbeat: A few biotech startups have been working on this, and with the corresponding rise in fitness trackers, the time may be right. Heartbeats can, however, be “hacked,” as heartbeats are not necessarily unique to an individual.
Biometric authentication for banking likely will be important when it comes to the smart home and Internet of Things (IoT), as well.
As the IoT becomes more prevalent, inanimate household objects and appliances will become internet-connected devices. One of the more well-known commercial versions right now is the Amazon Echo. Among the Echo’s features is one which enables Capital One customers to check card balances and make payments via the device. Wells Fargo and other banks are experimenting with this as well.
The concern, of course, is security. When consumers learn that their bank information may be tied to their household information, they immediately think about the possibility of a hack. In such a situation, the hacker would know a lot about your finances and how your home is managed. Thieves with that kind of information could practically wipe out a victim’s entire net worth.
This is part of the reason why we’ll continue to see multi-layer biometric authentication become more mainstream over the next several years.
Today, many banking apps are using simple fingerprint authentication in a one-step process. But back in 2006 — before the first iPhone! — "Mythbusters" had already shown how you can fool a fingerprint scanner.
Fingerprint + voice + iris, though, is much harder to fool. Two- and three-factor authentication is therefore likely to grow in coming years.
Will customers and members trust these new security measures? That depends on your audience.
Mastercard surveys have shown a great level of trust in biometric approaches (likely stemming from a correspondingly high level of anxiety about financial info being hacked), but Cyber.UK has found that 18 to 24 year-olds are the most skeptical of biometric authentication moving forward.
Young people could be the least trusting because they’re the most tech-savvy — they understand that hackers are creative, relentless – and have a multitude of tools at their disposal. For everyone else, banks and credit unions are already employing technologies that assuage fears. But they’ll have to work hard to assure future generations that they’re a safe bet in the digital world.
• Face an daunting burden of regulatory requests?
• Struggle to manage the multiple experts inside and outside your organization who must respond to exam requests?
• Use email for regulatory communication -- possibly opening yourself to legal discovery?
• Receive the same request more than once but provide a different answer each time?
If these challenges sound familiar, Axiaware's new credit union compliance software product, Redboard, could help.
In the banking and financial service space, biometric authentication is quickly becoming the principal form of mobile authentication. Instead of requiring a password, more and more apps use physical or behavioral characteristics to allow customers to access and manage their money.
Your first response might be: “I already knew that. The big banks have been doing this for a few years now!” Indeed. Biometrics have been around for more than a year at some larger providers, but the rate of change is fairly rapid.
Before we address what’s next, let’s quickly summarize where biometric authentication has been.
The Rise Of The Thumbprint
“Basic” biometric authentication usually comes in the form of thumbprint or facial recognition. Customers press their thumb on a mobile device’s “home” button or snap a photo of themselves to log in.
The growth of these methods can be attributed to a few interconnected factors.
First, and most obviously, there are now more mobile devices on the planet than human beings. Second, Federal Reserve studies have been showing 33 percent annual increases in U.S. adults who use mobile banking services to manage their money over the last two to three years. That number is likely higher globally, as Asia is the world’s largest continent and wholly mobile-first.
Smartphone users say their top concern when it comes to mobile banking is security. “60 Minutes” addressed this topic last spring. If you watch that report, you might be terrified by the sequence that shows a group of hackers sitting around a table calmly lift individuals’ credit card info from their phones. All they needed were phones that had the ride-sharing app Uber installed.
Major banks such as Bank of America, JP Morgan Chase and Wells Fargo all have rolled out some form of biometric screening for log-in in the past few years. USAA has been one of the early actors in making “selfie security” available — users start the login process by taking a photo of themselves, and facial recognition software handles the rest.
Adding biometrics was a logical step for banks and credit unions anxious to address security concerns. But they reaped a secondary benefit: improving customer experience.
No customer enjoys remembering all of their various passwords for the apps and web services they use. Social login — authentication through social media accounts such as Facebook or Google — became popular in the past five years for this very reason. So it’s no surprise that biometric authentication has become popular for its ease of use.
What’s Next?
Thumbprints and “selfie security” are likely just the start when it comes to biometrics. Developing security methods that banks and credit unions could start using soon include:
● The Iris Scan (sometimes mistakenly called a “retina scan”): Banking apps could require you to scan your iris, as if you’re living in a Tom Cruise movie, to access your accounts. The Samsung Galaxy Note 7 had iris-scanning technology and may have helped spread this form of authentication before its well-publicized recall. Iris scanning is considered one of the most secure forms of authentication.
● Voice Authentication: On its own, voice authentication can be problematic. Background or ambient noise can make matching voices difficult. But voice may be used with other forms of authentication for a secure login — more on that below.
● Geo-Fencing: Apps could use GPS and only allow users to log in from somewhere in the phone’s “normal” range. Banks also could place a geo-fence around their branches or headquarters so employees only could access the app from there.
● Increasing Use of Two-Step Authentication, already familiar to many users of Google or SMS. This method is becoming more common, and, as the name implies, requires users to use two forms of authentication.
● Heartbeat: A few biotech startups have been working on this, and with the corresponding rise in fitness trackers, the time may be right. Heartbeats can, however, be “hacked,” as heartbeats are not necessarily unique to an individual.
Biometric authentication for banking likely will be important when it comes to the smart home and Internet of Things (IoT), as well.
As the IoT becomes more prevalent, inanimate household objects and appliances will become internet-connected devices. One of the more well-known commercial versions right now is the Amazon Echo. Among the Echo’s features is one which enables Capital One customers to check card balances and make payments via the device. Wells Fargo and other banks are experimenting with this as well.
The concern, of course, is security. When consumers learn that their bank information may be tied to their household information, they immediately think about the possibility of a hack. In such a situation, the hacker would know a lot about your finances and how your home is managed. Thieves with that kind of information could practically wipe out a victim’s entire net worth.
This is part of the reason why we’ll continue to see multi-layer biometric authentication become more mainstream over the next several years.
Today, many banking apps are using simple fingerprint authentication in a one-step process. But back in 2006 — before the first iPhone! — "Mythbusters" had already shown how you can fool a fingerprint scanner.
Fingerprint + voice + iris, though, is much harder to fool. Two- and three-factor authentication is therefore likely to grow in coming years.
Will customers and members trust these new security measures? That depends on your audience.
Mastercard surveys have shown a great level of trust in biometric approaches (likely stemming from a correspondingly high level of anxiety about financial info being hacked), but Cyber.UK has found that 18 to 24 year-olds are the most skeptical of biometric authentication moving forward.
Young people could be the least trusting because they’re the most tech-savvy — they understand that hackers are creative, relentless – and have a multitude of tools at their disposal. For everyone else, banks and credit unions are already employing technologies that assuage fears. But they’ll have to work hard to assure future generations that they’re a safe bet in the digital world.
--
Compliance and Your Credit Union
Does your credit union:
• Face an daunting burden of regulatory requests?
• Struggle to manage the multiple experts inside and outside your organization who must respond to exam requests?
• Use email for regulatory communication -- possibly opening yourself to legal discovery?
• Receive the same request more than once but provide a different answer each time?
If these challenges sound familiar, Axiaware's new credit union compliance software product, Redboard, could help.