Authentication Advances May Finally Kill Passwords and PINs
Hackers are attacking companies with multiple motives and multiple attack vectors, the widely read annual security report finds. Phishing remains effective and cyber-threat sharing efforts need to speed up.April 14
Criminals who once focused on email fraud are turning to text messages and phone calls to trick bank customers. Fraudsters are also using social media and Big Data to learn more about their consumer and commercial targets.February 4
More than two decades since a New Yorker cartoon joked that "on the Internet, nobody knows you're a dog," banks are finally replacing old and not-so-reliable methods of authenticating customers passwords and security questions with sophisticated alternatives.
Voice biometrics, fingerprint detection, facial recognition and device ID are graduating from the pilot phase to wider deployment at a handful of financial institutions. And more innovative methods, including authentication based on smartphone activity, are being tested in university research labs. If successful, these technologies could deliver the combination of security and convenience that has eluded banks in their struggle to verify user identities and keep out impostors without hassling true customers.
The shift to next-gen authentication methods has been made possible by the convergence of several trends. One is the ubiquity of smartphones with high-quality microphones and cameras that make voice and facial recognition easy, and the availability of Apple's Touch ID fingerprint reader on iPhones for finger scanning.
Public awareness of data breaches and fraud issues has made consumers more willing to provide fingerprints, voiceprints and selfies to secure their financial information. And while financial institutions are driven by the need to make their growing volume of mobile and online transactions secure and convenient, they're also being pushed by a newer, related dynamic: their call centers are swamped with requests from consumers who want to reset lost, stolen or compromised passwords.
"The Target data breach generated more calls than we'd like to have taken in the call center," said Casey Royer, the enterprise voice solutions director at USAA, the poster child for biometrics technology in the U.S. financial services industry. "When we're not planning those calls, it's hard. We need to start barring the doors so we're more secure. We're hoping this [technology] matures so incidents become nonevents."
One authentication technology banks are starting to deploy is voice recognition.
"Voice recognition has the right combination of characteristics that are unique to the individual," said Dominic Venturo, chief innovation officer at U.S. Bank in Minneapolis. "The voice is easy to use and every mobile phone has the ability to hear a voice." The $404 billion-asset bank has been testing voice biometrics and aims to make it more widely available this year.
According to Opus Research, 41% of all global voice biometrics installations are implemented by financial institutions. Barclays, Santander, Tangerine, Wells Fargo, USAA and ING Netherlands are among those that have adopted this technology.
The quality of smartphones' built-in microphones is high enough to achieve accuracy rates above 90%, according to Brett Beranek, director of product strategy for voice biometrics at Nuance Communications. Barclays' wealth management unit, for instance, says it's achieved a 95% accuracy rate on its use of voice recognition in its call centers.
Fingerprint recognition is another option, one that Apple brought to the forefront by including Touch ID on iPhones and making it part of Apple Pay. First Internet Bank of Indiana, Canada's Tangerine Bank, American Express, Discover and USAA are among those using it to let customers log into mobile banking with the press of a finger.
"There is certainly a strong case for fingerprint and voice," in banking today, Venturo said.
Then there's facial recognition. HSBC and USAA have rolled out a feature allowing consumers to identify themselves with a selfie. Facial recognition technology analyzes the contours of the face and compares those angles to the original photo registered with the account. In USAA's implementation, the user has to blink, to prevent imposters trying to log in with someone else's photo.
Vincent Endres, chief of corporate development at Hoyos Labs, says his company has been "swamped with interest" from banks in his company's facial recognition technology, which it's been testing with "several of the top 10 banks in the world. Some are looking to use this to let internal employees to log on without a password, some are looking at ATM applications," he said. "Private client groups want to get rid of tokens."
Banks want to reduce the burden on help desks to reset passwords and digital banking more convenient to clients, he said.
Analysis of smartphone activity and web behavior is another technology solution. It hasn't been deployed in production yet, but two teams of researchers at universities in the U.S. and India have come up with a method of using the monitoring of consumer activity for authentication.
"Our system in the background collects different digital activities on the customer's smartphone, social media, and web," said Swadhin Pradhan, a PhD student at the University of Texas at Austin, of his team's ActivPass method. "It than selects activities that are easy to remember and difficult to guess and asks three questions."
For example, ActivPass might ask questions like, whom did you last call? Or what was your first text today?
A bank could use ActivPass to replace or augment its knowledge-based authentication (challenge questions, like "what was the name of your first pet?"). The bank would need to get permission from the user to gather this information during the app installation.
"Questions like what is your date of birth, what is the color of your car, are static and can be easily hacked," Pradhan said. "In social media they can get all this information."
The ability to look across different channels of activity provides greater confidence, Pradhan argues. "If you can look at this kind of distributed activity social media, smartphone, browsers, the probability [of hackers being able to game the user's identity] will be less," he said.
And further out there is the "natural body identification" PayPal is developing. This is a series of embeddable, injectable and ingestible devices that could replace passwords as a means of identification. The devices may include brain implants, silicon chips embedded into the skin and ingestible devices with batteries powered by stomach acid.
USAA Goes All In
USAA began looking at biometrics in 2008, "but it wasn't mainstream and our members wouldn't have accepted it as much," Royer said.
In February, the member organization and $67 billion-asset bank became the first to nationally roll out voice and facial recognition for its mobile apps, letting members log in with a spoken phrase or a selfie. About a week ago, the company added Apple Touch ID to the mix, bringing the number of ways members can authenticate themselves at login to four: with their voice, their face, their thumbprint or a PIN. Behind the curtain, the bank also uses device ID in its authentication process, so a potential fraudster would have to have the device registered with the account in addition to one of the four pieces of identity required to access her account.
The four options are meant to provide convenience for members and reflect a practical reality: voice recognition doesn't work well in a noisy environment, facial recognition can be faulty in direct sunlight and fingerprints are harder to capture in extremely cold weather.
So far, the fingerprint technology is the most popular. In the week it debuted Touch ID, USAA went from 200,000 biometric signups to 350,000.
USAA uses Nuance's voice recognition technology for authentication and for spoken commands to Nina, the company's Siri-like virtual assistant. The bank partners with Daon for Touch ID and facial recognition.
USAA wants to improve security and convenience for mobile app users, according to Royer. Biometrics help take time out of the mobile app transaction, Royer said, which is helpful to military members who in many cases have little phone and computer time.
"They have very little time to talk to us and we don't want them to have to talk to us," Royer said. "They should focus on the mission, focus on their family. But when they do contact us, we want it to be simple and easy for them."
The technology is also helping USAA's call center, which has 14,000 agents.
Mobile app users can tap a "Contact Us" button on the USAA app, and as they get transferred to an agent, their credentials and customer information are passed to the rep. USAA calls this feature "call assist."
"The member service rep knows who you are based on the authentication, knows that you authenticated and is able to start a conversation without having to ask the member who are you, why are you calling me?" Royer said. "It takes that stressful part of the conversation out."