Westpac New Zealand wants to be the first bank in the world to let customers unlock their mobile banking apps with a fingerprint scan.
The cutting-edge bank is teaming up with Samsung to create fingerprint scanning technology that would work with the manufacturer's S5 device. Westpac is currently testing the technology on its employees and, if all goes well, it plans to roll it out commercially in August, around the same time it unveils a new mobile banking app and updated online banking site.
The primary objective is to improve the mobile experience for customers who sometimes struggle to type passwords into palm-sized devices.
"We are constantly looking at how we can make things easier and faster without increasing risk," says Simon Pomeroy, the chief digital officer at the Auckland bank.
It already offers smart watch apps, it is developing apps to work with wireless sensors in branches and stores — and it seems likely to be the first out of the gate with fingerprint scanning.
Several U.S. banks are testing biometric security for mobile apps, but most of these trials are focused on voice recognition.
U.S. Bancorp is testing voice biometrics on its employees and Wells Fargo has been testing voice authentication for more than a year. (Both U.S. Bancorp and Wells Fargo use voice recognition technology from Nuance.) ING Direct is piloting facial and voice recognition technology from CSC.
Bankers testing these alternatives to the password are hoping they will solve an important ease-of-use issue for consumers. In order for a password to be strong and hard to guess, it has to be long and complex. But remembering and typing a long, complicated password on a virtual keyboard on a mobile device can be a chore for customers and a stumbling block to mobile app use.
And there's the hope that biometrics will solve a thorny problem that bedevils almost all banks, especially in the wake of the discovery of the Heartbleed security flaw — how to secure customers' mobile and online banking interactions when hackers are finding and exploiting all kinds of creative ways to steal their user names and passwords? Whether or not fingerprints or voiceprints are actually more secure than passwords has not yet been proven in the financial industry, but many are looking at the potential.
At Westpac, the new technology lets a user register a fingerprint by touching it to a scanner built into the Samsung S5 screen. Thereafter, customers can opt to open Westpacs app using just a fingerprint, skipping the usual user name and password. The bank has released a video showing how the scanner works:
The fingerprint-based security will work with a new Internet banking environment the bank is developing, alongside a mobile app wrapper that will let the web pages work well on smart phones.
For now, Westpac is working with Samsung to test the new capability.
"We're making sure when we put this in the hands of customers we can feel confident that it's robust and secure," says Pomeroy.
Pomeroy has tried the fingerprint scanning tech himself.
"The thing that blows me away is how simple it is to set up and use to get into your mobile banking app," he says. "That's the whole point. As a bank, we're looking for an easier way for customers to do mobile banking."
He envisions offering the same fingerprint-based security on other devices as they come on the market.
"This plays into the whole reason why devices are being enabled with finger and thumbprint access, because customers are demanding it and adopting it," Pomeroy says. "When we think about mobile banking, it's all about driving it through customer adoption."
The new security mechanism should be "at least as" secure as using a user name and password to access the app, Pomeroy says.
"Whether it's more secure is a question, but it's certainly not going to be less secure," he says.
Some industry observers believe fingerprint technology is more secure than passwords.
"Leveraging the fingerprint scanner integrated into a mobile device would make compromising an existing financial account significantly more difficult," says Alphonse Pascual, senior analyst for security, risk and fraud at Javelin Strategy & Research.
The iPhone 5S, for example, stores fingerprint data securely on the device itself. "If a criminal wanted to spoof a consumer's fingerprint to gain access to their financial account, they would need access to both the fingerprint and the consumer's mobile device," Pascual says. "While that is not an impossible task, criminals prefer to compromise an account with as much anonymity as possible and would likely move on to easier targets."
In fact, Pascual believes biometric authentication will give providers a competitive advantage.
"Adopting fingerprint scanning could be a strong differentiator, and I expect that it wouldn't be long until others follow suit for fear of being thought of as insecure," he says.
Mike Versace, global research director at IDC Financial Insights, is more tempered in his enthusiasm for fingerprint recognition.
"It's a trade-off — convenience versus security," he says. "A well-designed and reliable finger-scan process, including enrollment, registration, validation, and storage, promises tons of convenience to mobile users."
He points out, however, that it's possible to duplicate finger scans and that biometric data stored on a device, transmitted over a network, or kept in a database can be hard to secure. And the consequences of lost or stolen biometric identities are dire.
"Losing your credit card is one thing," Versace says. "Losing your fingerprint or other biometric characteristic is something completely different."