WHAT CAN REPLACE PASSWORDS?
Nobody is predicting that passwords are going to be eliminated entirely within the next two to three years. But there are ways to make authentication less cumbersome, more secure, and more reliant on a person's broader use profile - location, relationships, and his or her computing device - than on an impersonal series of letters and numbers.
BTN spoke with a number of tech developers and analysts who discussed how these new tech options work, and how likely they are to become standard practice for employees at banks.
Using fingerprints to prove your identity is one of the more common types of biometric authentication, and is already being deployed by a number of financial institutions.
Discover is working with Natural Security, a French biometrics company, to test a fingerprint payment system with about 300 employees. The staffers will use their fingerprints to pay at participating convenience stores and at the employee cafeteria. The payment information and fingerprint are stored on a key fob that the user carries. In an interview in early December with BTN's Sean Sposito, Troy Bernard, Discover's global head of emerging payments, said the technology could eventually help with online banking, internet payments and web purchases.
Other adopters of fingerprint biometrics include ANZ Bank, which is exploring how fingerprint biometrics may replace PINs.
At one time, the use of a photo to identify a person was one of the more awkward forms of authentication, given issues of privacy; the perception that people would not want to constantly have their picture taken to enter buildings or to access a web site.
The enabling technology was also too scarce to make this form of biometrics scalable. But the growth of smartphones, particularly phones with cameras, is changing the game for facial recognition in a couple of ways. First people are taking more pictures, and are accustomed to using their phones to do so. And secondly, it makes facial recognition a "bring your own" proposition, which handles the scalability problem.
Ram Pemmaragu, chief technology officer of Strikeforce, says the smartphone is the key vessel that will allow identity technology to graduate beyond static passwords, as well as the hard token-based authentication systems that many financial institutions are currently using. Strikeforce has developed a platform that supports eight different out-of-band authentication methods - relying on a mix of hard tokens that people carry and soft tokens that are embedded in mobile devices.
"We see the phone as enabling a one-time password with biometric features. You can use facial recognition this way. Every phone has a camera," says Pemmaragu, who says the company is also working on fingerprint authentication that can be accessed via sensors on mobile devices. "The phone will someday be the main authentication device, and we'll be able to go beyond the one time passwords, and use the biometric capability to manage the actual phone," he says.
These capabilities are forward looking, but not that far out. "It may take a couple of years. When biometrics gets embedded into the mobile phone, it will make it easier to use it to get into other applications," Pemmaragu says, predicting fingerprint biometrics will probably be the first to be used widely, followed by other methods. "We're probably looking at two years or so."
There are some lingering privacy concerns with facial recognition. The Federal Trade Commission in October issued a report on best practices for facial recognition, saying that business should take steps to protect consumer privacy as they adopt facial recognition. The FTC says companies should also take steps to make sure consumers are aware when facial recognition technology is being used, hinting at opt in.