A World Without Usernames, Passwords? It's Coming, Says USAA Exec
As the banks face ever tougher trade-offs between security and convenience, they must look to new technologies that can improve the former without damaging the latter, says Gary McAlum, senior vice president and chief security officer for USAA.
Some technologies actually make life easier for the digital banking customer, McAlum says. One is biometric authentication — letting people verify their identity with a fingerprint, a spoken word or phrase, or a selfie, for instance. USAA was the first financial institution to roll out biometric security with its mobile banking app. It now lets people log in through fingerprint, voice or facial recognition. The company also layers in other security mechanisms, such as device identity, so that it's not relying solely on any single biometric.
McAlum, who spent 25 years in the Air Force before joining the financial services industry, shared an update on those biometric programs and related thoughts on the state of security in the industry today in a recent interview.
Authentication methods meant to keep cybercriminals from taking over accounts can also lock out legitimate users. This old dilemma is growing more vexing as cybercriminals get better at impersonating customers and as regulators increasingly push multifactor authentication.January 7
The San Antonio financial services provider says 101,000 members have already logged into mobile banking with a spoken phrase or a selfie. It may be a sign that after 50 years, biometric authentication is finally hitting the mainstream.February 3
How is adoption going for USAA's biometric authentication programs?
GARY McALUM: We have almost 1.3 million members actively enrolled in and using biometric authentication. About 88% of them are using TouchID for fingerprint recognition, about 7% are choosing to primarily use facial recognition and a small percent are using voice. So we're getting really good adoption and our goal is to continue to drive that up. As we roll out biometrics on more platforms, the challenge is the devices out there don't all accommodate biometric authentication. As phones and platforms start to become compatible, we're catching up with that. For mobile banking apps, we strongly endorse and recommend biometrics as an enhanced form of authentication as opposed to username and password. Data breaches are rampant. Personally identifiable information, sensitive information, phishing, malware, all of that comes together to make it really hazardous to depend on a user ID and password [or] even really strong security questions to authenticate to a mobile banking app, a shopping site, a social media site, whatever the case may be.
There's an argument to be made that by allowing the options of voice recognition or fingerprint recognition or facial recognition or username and password, you actually have weaker security because you're giving hackers more opportunities to break in. If all else fails, they can use stolen or guessed usernames and passwords.
You hit on a really good point. Fundamentally, all security is an identity and access-management problem. There are other issues with patching, but at the consumer level, all security issues start with identity and access management. Part of that is, you could have the strongest authentication in the world, but you also have to have a strong enrollment and recovery process. Biometrics works well, but you have to have a strong front door. You have to have a good way to authenticate and validate that identity up front and then enroll. In the inevitable case where someone is going to say, "I tried to use this biometric, it didn't work," or "I tried to use this authentication and it didn't work," you have to be able to deal with the exceptions.
Do you have any next steps in mind for biometrics?
We focus on innovation here. We're constantly looking at, what's the next level we can take this to? We have an innovation lab here and we're constantly looking at, where is this area of security? How is that evolving? Obviously, facial and voice recognition are interesting, but that's not really the future. That may be part of the future. We don't want to get locked into any particular implementation of authentication. There are exciting things going on in the market out there. We've looked at startups that are looking at heart biorhythms as a unique indicator of a person's identity. How do you bring that variable into the equation and operationalize it as an authenticator? There are other forms of biometrics and other authenticators out there. We're looking at all of them. When we can operationalize those and offer a choice to our membership, we're going to head that way. The secret here that we discovered is, there's no one flavor everybody likes. As much as we can offer choices for our members, they'll find the one that works. As long as it's one we're comfortable with, we want them to use it. Where we can, we want them to willingly adopt.
But more and more we're getting away from static information. We envision a world where there isn't a user ID or password involved, no static information. It doesn't matter how many security questions you have. That's one dimension of information and it's easily discovered over time because of data breaches and social engineering. In the world we envision, you would never use static information.
How do you look at the trade-off between strong security and good user experience — not upsetting the legitimate person who's trying to log in?
What we challenge ourselves here at USAA to do and what our business partners expect of us is, they want the highest levels of security on the consumer side, but they want the experience to be seamless, transparent and as wonderful as possible. Biometrics on the mobile app has been a great example of that for us. It works well, people want to use it. It's a really strong form of authentication. What we're working on now is moving that experience across our other channels, because although we have a lot of members using the mobile app, we still have people logging in to usaa.com, we still have people logging in to our call centers. So we're in the process of moving that to the other channels.
The challenge is we don't want to keep putting more hurdles in front of our member. The goal is to do as much passively as you can, so … regardless of whether it's a phone, a mobile banking app, whether it's usaa.com or some other way, regardless of how they come in, you know enough about them so you don't have to throw up a security question or [say], "Hey, we need you to do this, we need more information from you." That's the world we're heading into, boldly.
We believe that the mobile device is a big part of that equation. Today, most people don't leave home without their phone. You'll see consumers that may not have a purse, may not have a wallet, but they're going to have their phone. So linking that device with a persona and being able to validate that environment is a big part of our future.
What have you been doing with CyberCode?
CyberCode has been our version of two-factor authentication. We've offered it for years. There's different flavors of it. It's an app you can download that provides a rotating, 30-second code. You use that in conjunction with another piece of information to log in. It's very secure. I've been using it for more than five years myself. Another variation of that for those that don't have a smartphone, you can request a physical token, press the button, rotate a 30-second code and use that as part of your login process. The last version, which I use quite a bit myself, is the one-time SMS code. So you can log in, request a one-time code and text it to a phone number we have on file for a one-time login. Those are very strong forms of authentication. We've not been able to drive adoption of those as much as we'd like, but it's something we are definitely focused on moving forward as we get away from static credentials like username, password and security questions.
There have been cases of one-time passwords being gamed by sophisticated hackers.
We've seen that before. So if a person's identity and online persona is compromised, a fraudster can go into someone's account, change their personal info, address and phone number. It's not a scalable model but it's potentially applicable. But from a high-confidence rate, it's better than username and password.
Some people say this is a terrible question, but what keeps you up at night, security-wise?
I gave the same answer when I was wearing a uniform doing this at the Department of Defense. Probably every security professional would answer the same way. First, there's never been a better time to be in the business of security. I'm excited about it; it challenges me every day. The thing that keeps me up at night is what I don't know. People talk about this particular malware or this particular denial of service — I can see that, we can fight it. It's what I don't know. And there's enough out there to always be thinking about what I don't know. [At USAA] we have a culture of noncomplacency. We've adopted the Navy SEAL motto: "The only easy day was yesterday." What I don't know is what I worry about the most.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.