As the banks face ever tougher trade-offs between security and convenience, they must look to new technologies that can improve the former without damaging the latter, says Gary McAlum, senior vice president and chief security officer for USAA.
Some technologies actually make life easier for the digital banking customer, McAlum says. One is biometric authentication — letting people verify their identity with a fingerprint, a spoken word or phrase, or a selfie, for instance. USAA was the first financial institution to roll out biometric security with its mobile banking app. It now lets people log in through fingerprint, voice or facial recognition. The company also layers in other security mechanisms, such as device identity, so that it's not relying solely on any single biometric.
McAlum, who spent 25 years in the Air Force before joining the financial services industry, shared an update on those biometric programs and related thoughts on the state of security in the industry today in a recent interview.
How is adoption going for USAA's biometric authentication programs?
GARY McALUM: We have almost 1.3 million members actively enrolled in and using biometric authentication. About 88% of them are using TouchID for fingerprint recognition, about 7% are choosing to primarily use facial recognition and a small percent are using voice. So we're getting really good adoption and our goal is to continue to drive that up. As we roll out biometrics on more platforms, the challenge is the devices out there don't all accommodate biometric authentication. As phones and platforms start to become compatible, we're catching up with that. For mobile banking apps, we strongly endorse and recommend biometrics as an enhanced form of authentication as opposed to username and password. Data breaches are rampant. Personally identifiable information, sensitive information, phishing, malware, all of that comes together to make it really hazardous to depend on a user ID and password [or] even really strong security questions to authenticate to a mobile banking app, a shopping site, a social media site, whatever the case may be.
There's an argument to be made that by allowing the options of voice recognition or fingerprint recognition or facial recognition or username and password, you actually have weaker security because you're giving hackers more opportunities to break in. If all else fails, they can use stolen or guessed usernames and passwords.
You hit on a really good point. Fundamentally, all security is an identity and access-management problem. There are other issues with patching, but at the consumer level, all security issues start with identity and access management. Part of that is, you could have the strongest authentication in the world, but you also have to have a strong enrollment and recovery process. Biometrics works well, but you have to have a strong front door. You have to have a good way to authenticate and validate that identity up front and then enroll. In the inevitable case where someone is going to say, "I tried to use this biometric, it didn't work," or "I tried to use this authentication and it didn't work," you have to be able to deal with the exceptions.
Do you have any next steps in mind for biometrics?
We focus on innovation here. We're constantly looking at, what's the next level we can take this to? We have an innovation lab here and we're constantly looking at, where is this area of security? How is that evolving? Obviously, facial and voice recognition are interesting, but that's not really the future. That may be part of the future. We don't want to get locked into any particular implementation of authentication. There are exciting things going on in the market out there. We've looked at startups that are looking at heart biorhythms as a unique indicator of a person's identity. How do you bring that variable into the equation and operationalize it as an authenticator? There are other forms of biometrics and other authenticators out there. We're looking at all of them. When we can operationalize those and offer a choice to our membership, we're going to head that way. The secret here that we discovered is, there's no one flavor everybody likes. As much as we can offer choices for our members, they'll find the one that works. As long as it's one we're comfortable with, we want them to use it. Where we can, we want them to willingly adopt.
But more and more we're getting away from static information. We envision a world where there isn't a user ID or password involved, no static information. It doesn't matter how many security questions you have. That's one dimension of information and it's easily discovered over time because of data breaches and social engineering. In the world we envision, you would never use static information.
How do you look at the trade-off between strong security and good user experience — not upsetting the legitimate person who's trying to log in?