USAA is letting its members log in to mobile banking in the blink of an eye — literally.
The San Antonio financial services company has rolled out facial recognition technology across its entire membership base that lets them access its mobile app with a tap of their smartphone camera and a blink when prompted (to prove they're a live person and not a photo). USAA is also giving members the option of logging in with a spoken phrase.
This makes USAA the first major U.S. financial institution to deploy a full-scale rollout of voice and facial recognition. In an industry that has tried and failed to make biometric identification work for 50 years, USAA's efforts could be a significant turning point.
One key reason why is the immense popularity of the smartphone. Smartphone cameras let users employ their own hardware to capture their facial characteristics. Device identity also provides assurance that the smartphone belongs to the right customer.
"The ubiquitous adoption of the smartphone has altered the market — you no longer need kiosks or readers, the smartphone is a multifactor edge device" for biometric authentication, said Tom Grissen, CEO of Daon, the Fairfax, Va. software company that developed the biometric technology with USAA (Daon is working on similar projects with several large banks).
Decades of improvements in voice and facial recognition are also helping reduce false negatives and friction — facial recognition takes two seconds. And a growing exasperation with forgotten, lost or stolen passwords may drive people toward face- or voice-based logins.
"Four out of five end customers who have experienced the technology prefer it over a PIN or password," Grissen said.
Adoption so far has been impressive: 101,000 USAA members are using the biometric options. (All told, USAA has 10.7 million members, four million of whom use its mobile app.) Even members over 50, of whom little adoption was expected, prefer biometrics over having to remember an 11-digit password.
Security in a Selfie
The use of facial recognition for authentication is rare in banking.
According to Rick Swenson, fraud operational excellence and strategic initiatives executive at USAA, the company chose facial recognition so it could deliver biometrics to the largest base of Android and iOS users possible — all smartphones have cameras that make face capture quick and easy.
"The advantage of face over voice in our construction is it takes two seconds or less to take that picture of your face," Swenson said. "Voice requires a certain amount of dialogue, usually around 20 or so seconds, in order to validate the signature of the voice."
Voice recognition is also heavily reliant on environmental factors like background noise.
"If I'm at a Spurs game, and I take out my mobile phone and try to use voice recognition, it's not going to work because I have 100 people around me screaming and yelling at the same time," Swenson noted. "What will work at a Spurs game is my face."
Facial recognition, Swenson said, is impervious to just about anything except bad lighting.
What's to prevent someone from logging in with someone else's picture or a video?
The key thing, and what may turn out to be USAA's secret sauce, is the company uses device identification in the background, so each time a member logs in, an encrypted token is sent from their phone to USAA that is matched against the ID of the device registered at enrollment. So for a fraudster to successfully impersonate a member with a photo or video (or trying to mimic their voice), they would also have to steal the member's mobile device.
The other safety mechanism is that USAA requires the member to blink, which rules out the use of a static photo.
"Face is much, much more secure than just user name and password," Swenson said, pointing out that in 2014 alone, more than 500 million user names and passwords were stolen and many are being used by fraudsters to break into financial services firms.
Security experts give USAA's approach high marks, especially for the facial recognition technology that watches the eye region of an image and looks for the user to blink.
"This means someone can't just hold up a good picture of you and have it match," said Kevin Bowyer, chair of the Department of Computer Science & Engineering at the University of Notre Dame. "And they can't even replay a video of your face and have it match, because the face image or the video of your face would not be able to blink at the right moment."
The combination of requiring the right device, a face match and a blink at the right time should prove to be far more accurate and secure than a password, thumbprint or other single fingerprint, Bowyer said.
But USAA is also allowing voice recognition, in part for circumstances like driving a car, when taking a photo would be inconvenient. The program asks members to read a short phrase out loud.