Battling the Creepy Factor of Eye-Recognition Software as Bank ID

It's "Minority Report" brought to life — sort of. First Internet Bank in Indianapolis is offering customers the option to log in to mobile banking by snapping pictures of their eyes from their smartphones.

The EyeVerify software that the bank is testing in conjunction with digital-banking partner Digital Insight measures the length and pattern of the veins in customers' eyes and uses that data to identify them.

In so doing the $1 billion-asset bank is offering its tech-savvy customers a form of authentication from which other banks have shied away. That reluctance may stem from the fact that eye scanning seems to raise more privacy concerns among consumers than fingerprint recognition, which has been popularized by Apple, and voice recognition, which has been introduced by a handful of banks. Whether the public can get comfortable with it remains to be seen.

"People have gotten more comfortable with their fingerprint because it's being used in so many contexts," said Ben Knieff, senior analyst at Aite Group. "And people have come around to the understanding that it's not an image of their fingerprint that's being stored, it's a mathematical representation of key points. Eye vein recognition is more creepy to people because it feels like I'm taking a picture and that picture is going to go somewhere. Even though that perception is incorrect, that perception is reality."

Yet First Internet Bank, which already supports Apple's TouchID fingerprint recognition in its app, seems unworried about the potential for creepiness or about being the first to introduce this new technology.

"I wouldn't say we had concerns about being first because we believe it's very well-tested technology," said Nicole Lorch, senior vice president of retail banking. "We believe it's important to be on the leading edge of new technologies that will make online and mobile access more convenient for customers."

The bank hopes the eye recognition will help people who cannot remember their mobile banking password.

"We all have so many passwords, for personal and work use," Lorch said. "We want to be a part of this growing trend in making things simpler but still secure."

The new mobile app will be distributed through the Apple and Google Play stores.

Proper performance in different environmental conditions, always a factor in biometric authentication, present more of a challenge. The bank tested the eye-scanning technology with its own employees under many conditions.

"We tested it in low light, in bright light, and with bloodshot eyes," Lorch said. "We had people try it first thing in the morning when their eyes were bleary and late at night in a dimly lit room right before going to bed. We tested in a bright room next to a window. We had glasses wearers try it with and without their glasses or contact lenses on. We tested in as many different scenarios as we could identify."

In some cases, the software did not work well in dim lighting. Sometimes testers had to reposition the phone camera to make it work, Lorch said. Users need to hold their phones a few inches away from their eyes, and the first time they registers they need to take several pictures . That requirement is comparable to having to provide several finger imprints when registering for TouchID.

EyeVerify, naturally, has done further testing of its software.

"Believe it or not, we asked EyeVerify what would happen if someone got hit with a baseball or got pinkeye," said Dan Weis, product manager for Digital Insight. The answer was the software would still work.

Even assuming high accuracy rates, it is hard to predict how easily customers will warm to the technology.

"It's a good fit for any organization to have available, but not to expect broad customer adoption," Knieff said. "Facial, eye vein, and iris recognition are at a stage where they're more specialized applications than general purpose."

This is likely to change over time. "If you get big corporates implementing iris or eye-vein technology as their access-control system, people will go, 'I use this at work every day and nothing bad seems to have happened. I can use it in other places,'" Knieff said.

The overarching challenge to biometrics, he pointed out, is that if a piece of biometric identification is compromised, you cannot change it.

"I can change my password but I can't easily swap out my finger," he said.

Vendors are highly aware of this and building safeguards into their technology. For instance, some not only turn the biometric ID (fingerprint, voice print, eye scan) into a number, but they then encrypt that number. So even if hackers broke into the database, they would have trouble using the data it contains.

For reprint and licensing requests for this article, click here.
Bank technology Authentication Mobile banking Consumer banking Community banking Data security Biometrics Indiana
MORE FROM AMERICAN BANKER