What Will Replace the Password?

The idea was the bank would develop a biometric mouse that would light up when the user entered his or her client number. The mouse would read the person's fingerprint to confirm the customer's identity. "The pilot worked, and the technology worked. But what we realized was we were ahead of our time," says Kithulegoda. The technology was expensive, and there were hardware compatibility issues, so eventually the project was dropped.

For years, companies have wanted to use something besides usernames and passwords to authenticate users. The idea that entering your first name, a period, your last name, and a series of letters and numbers is a stable, reliable way to protect identity in an age in which people have numerous relationships that rely on web-enabled connections, has been tottering on the edge of validity for a long time.

ING Direct Canada is now building new identification methods for an industry that's changed a lot in the past decade. Account aggregation, mobile apps, social networking and alternative payments are all maturing quickly, as are security threats. Millions of new strains of malware are created each year, placing mobile and online bank accounts at risk.

ING Direct Canada believes the supporting systems and bank customers are more ready for biometrics than they were 12 years ago. "With the proliferation of mobile and the consumerization of IT, the stigma of biometrics has faded, and the technology has come a long way," Kithulegoda says. "With mobile, most devices have a very high definition camera that's in the device. You don't need a special device anymore for biometric authentication."

ING Direct Canada is currently piloting facial recognition for authentication, and it's working with Computer Sciences Corporation on the technology.

The user thinks he or she is taking a picture with the mobile device, but actually the smartphone is in video mode and is taking multiple frames in a short period of time. The video has an algorithm that recognizes a "likeness" in the image that it's capturing.

"At the end of the day we are focusing on four things: something you have, which is the computing device, something you know, which is your PIN, something you are, which is your face, and somewhere you are, which is your GPS location," Kithulegoda says.

He says the geolocation function of the smartphone places the device at the point of sale, or within a reasonable distance from the point of log in.

LAYERED APPROACH AT PAYPAL

PayPal is similar to a lot of the companies that we spoke with for this article: it doesn't like passwords all that much, considers them less than safe, and is in the market for something better such as biometrics - as long as it's workable with the authentication systems used by its partners, which is the current challenge.

"The short answer is yes, we're interested in biometrics at PayPal. We don't have anything that I can announce, but we're interested," says Michael Barrett, chief information security officer for PayPal.

PayPal offers a range of layered authentication options right now, with the newer additions designed to augment password identification.

The PayPal Security Key creates random temporary security codes that safeguard accounts at log in. There are two choices, including a security key that's a small credit card sized device that creates a unique security code; and a mobile phone security key that delivers codes by text message. PayPal's security includes email authentication, in which the company identifies itself via an Iconix app that produces a gold lock with a check mark next to the sender's logo for emails from PayPal. PayPal has long offered security tokens, which create new numbers every 30 seconds that are required for registration. The idea is that if the number is stolen, a crook can only use it for 30 seconds.