Bridge Community Bank has embarked on an initiative it hopes will produce new, flexible alternatives to usernames, passwords and other traditional identifiers, which are increasingly considered dated as consumers take on broader and more mobile relationships.
The Mount Vernon, Ia.-based Bridge is deploying identity technology from Tascet that combines biometrics and consumer information to produce a personal digital identity that's distinct from passwords, PINS or Social Security numbers. The bank hopes this identity will be usable for transactions involving other banks, and can be used to provide security for branch, web and mobile banking, as well as help with anti-money laundering compliance.
"We see it as the beginning of a change in mindset as to how we authenticate a transaction," says Bob Steen, CEO of the bank, which has three locations and about $70 million in assets. "We're a small bank, but we offer mobile payments and a mobile banking solution and we want to minimize the risk of a customer's ID being stolen."
The personal digital identity can be accessed via readers at bank branches, or by embedded biometric readers on tablets, smartphones and laptops. That technology is not widely available yet on most current mobile devices or laptops, though it is expected in the next couple of years.
Steen characterizes the bank's project as forward looking and a test of new identification methods. But he says changes to identity strategy are necessary, because passwords and PINs are cumbersome to use, and can also be used by crooks to access bank accounts because the institution's systems don't necessarily know the password has been stolen.
"We all know that people have multiple passwords and we have seen studies that say people are annoyed with passwords. We found that with mobile banking, we have a text banking option that is more limited in what types of information is available, but people use it more because they don't need a password to grab information," Steen says.
The new identity system works this way: A customer enters a branch and asks to active a financial ICONN (Identity Confirmation Number). The customer provides a name, address, date of birth, country of birth and gender along with what TASCET refers to as a "fingerproof" and "faceproof," or fingerprint and photo (the company uses these terms to distinguish from law enforcement vernacular). That information is sent to TASCET where the company matches it against a database that includes information from across the financial industry and other industries such as healthcare, travel and academia.
If Tascet's analysis deems the consumer to be unique, it activates the consumer's ICONN. Once the ICONN is activated, the technology company returns a 16-digit financial security number to Bridge Community Bank that is incorporated into the consumer's account. The next time the consumer enters any bank location, he or she can scan a finger to verify identity and trigger the security number to execute an action with the bank. The bank's policy dictates what transactions or actions are risky enough to warrant a scan.
To protect transactions between Tascet enterprise clients, consumers grant the "other bank's" permission to use their financial ICONN by going through the same identification process. If the consumer is deemed unique, the "second bank" would receive the same financial security number for their records. Tascet's identity infrastructure would then refresh finger and face images to account for aging and other changes.
Bridge Bank's project is one of a number of ways banks are using biometrics to migrate away from passwords. In a recent BTN article on password alternatives, the wide array of biometric alternatives was bemoaned by financial services executives such as Michael Barrett, chief information security officer for PayPal, who contended the large number of providers creates interoperability problems.
While Tascet's system works best among Tascet clients, Jason Niosi, a spokesman for Tascet, says the company is not necessarily operating a closed loop system. "Any financial institution implementing physical characteristics [biometrics] can request that their system provider submit the information needed to uniquely identify customers to Tascet in order to activate Financial ICONNs and receive financial security numbers for their customers. As long as the hardware used by the system provider meets the quality requirements and standards we've established, we can accept information and issue ICONNs to these banks through their system providers. This is how we achieve interoperability with varying systems," he says.
Niosi also contends ICONN can integrate into "any enterprise system… there are numerous biometric device companies. We are constantly testing devices to ensure they capture the quality images we need to maintain a high level of data integrity. Our preferred standard for physical characteristics are finger and face but we can adapt to client needs for identification whether voice, iris, etc."
For online verification, Tascet includes an app which a consumer can verify by using a headshot, but they would have had to activate the ICONN in person at the bank branch. For fingerprint scans on remote devices, Tascet says there is a tech gap at this point. "Biometric hardware companies don't make anything that is consumer friendly and the finger swipe sensors in some computers aren't good enough," Niosi says.
Niosi says Apple's purchase of AuthenTec suggests there will be a sensor on their devices in the near future. In the meantime, he says Tascet has developed a tablet prototype that includes a scanner and camera. "In any event, when the technology catches up, we have the online identification piece solved."