As Barrett plots PayPal's next phase in user ID and security, he's also waiting for new guidance from the European Central Bank that will come out early next year. The FFIEC, which issued guidance several years ago that more or less standardized layered authentication for internet banking, is also updating its guidance for mobile banking. Either of these regulatory developments could pressure banks to adopt a posture toward authentication that could nudge migration toward voice biometrics, photo ID and behavior-based authentication.
"The regulators are getting more interested in authentication, especially in the financial services space," Barrett says. "For financial companies who are regulated by European regulators, this guidance could be a game changer like the FFIEC guidance [on dual factor authentication] was here in 2005 and 2006," Barrett says.
WHAT CAN REPLACE PASSWORDS?
Nobody is predicting that passwords are going to be eliminated entirely within the next two to three years. But there are ways to make authentication less cumbersome, more secure, and more reliant on a person's broader use profile - location, relationships, and his or her computing device - than on an impersonal series of letters and numbers.
BTN spoke with a number of tech developers and analysts who discussed how these new tech options work, and how likely they are to become standard practice for employees at banks.
Using fingerprints to prove your identity is one of the more common types of biometric authentication, and is already being deployed by a number of financial institutions.
Discover is working with Natural Security, a French biometrics company, to test a fingerprint payment system with about 300 employees. The staffers will use their fingerprints to pay at participating convenience stores and at the employee cafeteria. The payment information and fingerprint are stored on a key fob that the user carries. In an interview in early December with BTN's Sean Sposito, Troy Bernard, Discover's global head of emerging payments, said the technology could eventually help with online banking, internet payments and web purchases.
Other adopters of fingerprint biometrics include ANZ Bank, which is exploring how fingerprint biometrics may replace PINs.
At one time, the use of a photo to identify a person was one of the more awkward forms of authentication, given issues of privacy; the perception that people would not want to constantly have their picture taken to enter buildings or to access a web site.
The enabling technology was also too scarce to make this form of biometrics scalable. But the growth of smartphones, particularly phones with cameras, is changing the game for facial recognition in a couple of ways. First people are taking more pictures, and are accustomed to using their phones to do so. And secondly, it makes facial recognition a "bring your own" proposition, which handles the scalability problem.
Ram Pemmaragu, chief technology officer of Strikeforce, says the smartphone is the key vessel that will allow identity technology to graduate beyond static passwords, as well as the hard token-based authentication systems that many financial institutions are currently using. Strikeforce has developed a platform that supports eight different out-of-band authentication methods - relying on a mix of hard tokens that people carry and soft tokens that are embedded in mobile devices.
"We see the phone as enabling a one-time password with biometric features. You can use facial recognition this way. Every phone has a camera," says Pemmaragu, who says the company is also working on fingerprint authentication that can be accessed via sensors on mobile devices. "The phone will someday be the main authentication device, and we'll be able to go beyond the one time passwords, and use the biometric capability to manage the actual phone," he says.
These capabilities are forward looking, but not that far out. "It may take a couple of years. When biometrics gets embedded into the mobile phone, it will make it easier to use it to get into other applications," Pemmaragu says, predicting fingerprint biometrics will probably be the first to be used widely, followed by other methods. "We're probably looking at two years or so."
There are some lingering privacy concerns with facial recognition. The Federal Trade Commission in October issued a report on best practices for facial recognition, saying that business should take steps to protect consumer privacy as they adopt facial recognition. The FTC says companies should also take steps to make sure consumers are aware when facial recognition technology is being used, hinting at opt in.
In this biometric option, users authenticate themselves by speaking words or phrases and having the vocal patterns matched against those stored in a database.
"Voice biometrics can be a way to replace the knowledge-based questions that banks typically use to authenticate people in contact centers," says Shirley Inscoe, a senior analyst at Aite Group.