A new set of specifications that could strengthen security for websites and mobile apps is receiving strong support from payments and technology heavyweights. If they are commonly adopted, many banks may drop their reliance on usernames and passwords when identifying users in favor of such alternatives as fingerprint scans and voice and face recognition.
On Monday, Samsung and PayPal announced that the new Samsung Galaxy S5 smartphone will use the FIDO standard (it stands for Fast IDentity Online) to activate and confirm PayPal payments using the Samsung S5's fingerprint sensor.
On Tuesday, Bank of America (BAC) signaled its support for improved standards when it became the latest financial services firm to join the FIDO Alliance. The others are Discover Financial Services (DFS), MasterCard (MA) and Goldman Sachs (GS).
"Providing our customers with a convenient, secure digital banking experience is a top priority for us," said Dave Godsman, digital banking solutions and operations executive at Bank of America, in a press release. "As the world rapidly changes, our involvement in the FIDO Alliance will help ensure we continue to provide the convenient and secure solutions our customers want."
Some observers expect the banking industry to rally around the new FIDO standards, which essentially spell out a common way for users, their mobile devices, and mobile apps and websites to communicate with one another.
"If getting the technology into the hands of end users creates order from the chaos that is user authentication, FIDO will have a powerful argument and educational message for bankers and regulators to get onboard," says Alphonse Pascual, a senior analyst at Javelin Strategy & Research. "Other initiatives are a bit behind the curve."
The password is dead
The model websites use today for usernames and passwords is essentially the same as the one IBM time-sharing mainframes were using in the mid-1960s, says Michael Barrett, the president of the FIDO Alliance. "You type your name and password into a dumb terminal, the dumb terminal captures that and sends it up to the mainframe, which checks it," he says. "That precise model is what all password-based e-commerce is based on today, despite the fact that a smartphone is more powerful than the first mainframes.
"Password authentication is badly broken, we need a new model and it needs to be standards based," he adds. "That's essentially what the FIDO specs allow."
Though many believe that the password as a means of verifying the identity of online and mobile banking users is outdated — it's too easy to guess and hard to remember — what it should be replaced with has not been clear. A hodgepodge of authentication technologies, including iris scanning, device identity, fingerprint matching and voice prints, have been floated in various pilots within and outside of banks, but none have attracted enough committed adopters to become widely used.
Under the FIDO specifications, published Feb. 11, a bank could rebuild its apps and websites once, and be able to connect with many different authentication technologies.
For Dominic Venturo at U.S. Bancorp (USB), which has been piloting the use of voice biometrics to verify mobile banking users, the idea of having an industrywide standard for authenticating customers is appealing.
"In the absence of standards, there have been a host of solutions for authentication and that has driven some poor customer experience in terms of expectations of what's required site to site or entity to entity," says Venturo, the chief innovation officer for U.S. Bank Payment Services. "There's an opportunity to align on standards for digital identity in the web space."
But he also points out that there are other standards initiatives in the works.
For instance, under a program run by the National Institute of Standards and Technology, the government is pursuing a digital identity management standard called the National Standard for Trusted Entities. On Monday, a pilot program was announced that will test using the Department of Motor Vehicles' in-person identity proofing services to create a digital credential; it will be supported by technology from phone-based authentication provider Authentify.
"Which one ultimately wins, we don't know yet," Venturo says. "It's an important space and we're actively monitoring it."
He also points out that the devil is always in the details. "We'll have to review the [FIDO] standard that was just published," he says. "There are always technology hurdles. The industry needs to align around the standard it's going to support, then the level of uncertainty or risk goes down. When everyone is working in the same direction, they're less likely to have multiple incompatible solutions."
Nuance Communications, a provider of voice biometrics used by many large banks, including U.S. Bank and Wells Fargo (WFC), also hasn't committed to the FIDO standard but is looking at it. "We're in active discussions with FIDO and supportive of the work they're doing, as well as other industry standards in the authentication space," says Brett Beranek, solutions marketing manager, enterprise division at Nuance. "And there are a handful. We believe any security protocol that enhances or facilitates use of voice biometrics by companies is positive."
What the standard does