Banks Lay Plans to Build Fingerprint Technology into Mobile Apps

The day is fast approaching when iPhone users can access their mobile banking accounts with the press of a finger.

Apple announced last week that it is making its fingerprint scanning technology, Touch ID, available to banks, retailers and any other companies that develop apps for its hand-held devices. That means bank app developers can now work with Apple to create apps that let a customer log into an account using a fingerprint instead of a user name and password. Or, if security is a bigger concern than ease of use, bank app developers could layer a fingerprint check on top of a user name and password.

"Opening up Touch ID is a very big deal," says Daniel Latimore, senior vice president of the Banking Group at Celent. He adds that many of his firm's bank clients have been "frustrated" that fingerprint scans could only be used to unlock the iPhone, not its apps, and that he expects some will quickly start writing scripts to work with Apple's technology.

Some banks aren't wasting any time adding fingerprint technology to their mobile banking apps. Tangerine Bank (formerly ING DIRECT Canada) has already started developing the feature, which so far is available in iOS 8, Apple's newest mobile operating system.

Others, though, are waiting for regulators to weigh in on the soundness of using fingerprint recognition to authenticate users or may just be plain skittish about latching on to a technology that is so unproven. Some security experts have warned that fingerprints can conceivably be duplicated and, unlike passwords, they cannot be reset if they are stolen.

Still, the opening of Touch ID to third-party app developers is a big step toward bringing biometric authentication into the mainstream, says Charaka Kithulegoda, the chief information officer of Tangerine Bank.

"Having people comfortable with biometrics was always a hurdle and Apple did a great job in introducing it and getting their end users to use it," he says. He expects to see many organizations add fingerprint recognition as an extra layer of security on top of the traditional password.

Tangerine Bank was the first online bank to introduce fingerprint recognition technology in 2000, using specialized hardware. The timing wasn't right then, Kithulegoda says, because the fingerprint scanner had to be a separate piece of hardware and the installation of the device required two cables and multiple drivers to be installed. "Given the many different combinations of hardware that were out there at the time, this was a challenge," he recalls.

"Fast forwarding to today, what has changed is that we don't have to worry about accessing and connecting to multiple peripherals," he says. "Mobile devices today give us a platform where all inputs, including fingerprint scanner, camera, and microphone, are nicely integrated and accessible by applications."

The bank has recently been piloting voice and facial recognition and its developers have already begun working to integrate Touch ID into the bank's mobile app. The bank expects to have a prototype up and running in a week or two.

Kithulegoda sees biometrics as a game-changer that will eventually replace passwords.

"Your fingerprint is one of the best pass codes available; you carry it everywhere and no two are exactly alike," he says. "There is a lot of potential with this technology."

Jim Simpson, the chief technology officer of City Bank Texas in Lubbock, agrees.

"Anytime you can avoid typing a lengthy username and password in a small little box, it makes the end user's experience better," he says.

City Bank Texas plans to use Touch ID for internal apps it provides to employees as well as mobile banking and financial management apps.

The bank will at first use Touch ID only to let customers view certain kinds of information, Simpson says. He expects to make more features available as end users become comfortable using their fingerprints.

Simpson believes there will be a segment of customers who will not give up their fingerprint. He also notes that regulators have not declared Touch ID to be sound, safe, and secure.

"We need to be diligent in our efforts to fully test and have qualified security analysts audit the feature," he says. Simpson also thinks gesture authentication has potential as an alternative to passwords and Touch ID.

There's some debate among security experts about the relative merits of fingerprints versus passwords, device ID, and other forms of authentication.

Al Pascual, practice leader for fraud and security at Javelin Strategy & Research, sees much value in fingerprints. "Fingerprint biometric solutions are worlds more secure than passwords or static knowledge-based authentication," he says. "And in the implementation used by Apple, the theft and subsequent misuse of a user's fingerprint from the phone itself is near impossible."

While the compromise of a large fingerprint database could be problematic, Pascual argues that there are far more systems that store user passwords than there are fingerprint repositories to target.

Latimore takes a more conservative view. "Touch ID isn't going to revolutionize banking security; instead, it's another arrow in the quiver as banks consider how best to secure their customer information and transactions," he says.

He also points out that fingerprints can't be changed and that users can be compelled to give them up -- for instance, they could be forced by criminals to hold their finger to a touch pad.

"While the use cases for bad acts may seem extreme, banks should consider every possibility as they determine the level of risk they're willing to assume," he says.

Andrew Hoog, the chief executive at the security software company viaForensics, adds that thieves have proven that if there's a will, there's a way.

"If there's anything we've learned from Target's and a myriad of other data breaches, if it's in a computer system and there's 100 million of them and all of a sudden it becomes interesting because of a key authentication method, there will be attempts and there may well be successful attempts to steal," Hoog says.

Hoog adds that a fingerprint can be captured without too much difficulty and replicated; there are even videos online showing how to do it.

The main problem with fingerprints is that they're permanent and cannot be changed or reset. If a fingerprint were to be compromised, the victim would be affected in perpetuity, or until the provider switched to a different authentication method.

"For all the shortcomings of the password, I can change it," Hoog says. He's a stronger proponent of device ID, in which users are identified by the device they are using, as a second factor of authentication.

Kithulegoda has given thought to the caveats about fingerprints.

"Every one of these solutions is going to have weaknesses," he says. "But biometrics gives us much stronger and simpler options compared to other consumer authentication methods in use today."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER