Biometric Tipping Point: USAA Deploys Face, Voice Recognition
Terrible password-keeping habits will force banks to beef up security on their end, a study suggests.
Tangerine, a direct bank based in Canada, has added biometrics to its mobile app.
The cutting-edge bank it already offers smart watch apps is testing the technology on its employees' mobile devices and, if all goes well, it plans to roll it out to its customers by late summer.
USAA is letting its members log in to mobile banking in the blink of an eye literally.
The San Antonio financial services company has rolled out facial recognition technology across its entire membership base that lets them access its mobile app with a tap of their smartphone camera and a blink when prompted (to prove they're a live person and not a photo). USAA is also giving members the option of logging in with a spoken phrase.
This makes USAA the first major U.S. financial institution to deploy a full-scale rollout of voice and facial recognition. In an industry that has tried and failed to make biometric identification work for 50 years, USAA's efforts could be a significant turning point.
One key reason why is the immense popularity of the smartphone. Smartphone cameras let users employ their own hardware to capture their facial characteristics. Device identity also provides assurance that the smartphone belongs to the right customer.
"The ubiquitous adoption of the smartphone has altered the market you no longer need kiosks or readers, the smartphone is a multifactor edge device" for biometric authentication, said Tom Grissen, CEO of Daon, the Fairfax, Va. software company that developed the biometric technology with USAA (Daon is working on similar projects with several large banks).
Decades of improvements in voice and facial recognition are also helping reduce false negatives and friction facial recognition takes two seconds. And a growing exasperation with forgotten, lost or stolen passwords may drive people toward face- or voice-based logins.
"Four out of five end customers who have experienced the technology prefer it over a PIN or password," Grissen said.
Adoption so far has been impressive: 101,000 USAA members are using the biometric options. (All told, USAA has 10.7 million members, four million of whom use its mobile app.) Even members over 50, of whom little adoption was expected, prefer biometrics over having to remember an 11-digit password.
Security in a Selfie
The use of facial recognition for authentication is rare in banking.
According to Rick Swenson, fraud operational excellence and strategic initiatives executive at USAA, the company chose facial recognition so it could deliver biometrics to the largest base of Android and iOS users possible all smartphones have cameras that make face capture quick and easy.
"The advantage of face over voice in our construction is it takes two seconds or less to take that picture of your face," Swenson said. "Voice requires a certain amount of dialogue, usually around 20 or so seconds, in order to validate the signature of the voice."
Voice recognition is also heavily reliant on environmental factors like background noise.
"If I'm at a Spurs game, and I take out my mobile phone and try to use voice recognition, it's not going to work because I have 100 people around me screaming and yelling at the same time," Swenson noted. "What will work at a Spurs game is my face."
Facial recognition, Swenson said, is impervious to just about anything except bad lighting.
What's to prevent someone from logging in with someone else's picture or a video?
The key thing, and what may turn out to be USAA's secret sauce, is the company uses device identification in the background, so each time a member logs in, an encrypted token is sent from their phone to USAA that is matched against the ID of the device registered at enrollment. So for a fraudster to successfully impersonate a member with a photo or video (or trying to mimic their voice), they would also have to steal the member's mobile device.
The other safety mechanism is that USAA requires the member to blink, which rules out the use of a static photo.
"Face is much, much more secure than just user name and password," Swenson said, pointing out that in 2014 alone, more than 500 million user names and passwords were stolen and many are being used by fraudsters to break into financial services firms.
Security experts give USAA's approach high marks, especially for the facial recognition technology that watches the eye region of an image and looks for the user to blink.
"This means someone can't just hold up a good picture of you and have it match," said Kevin Bowyer, chair of the Department of Computer Science & Engineering at the University of Notre Dame. "And they can't even replay a video of your face and have it match, because the face image or the video of your face would not be able to blink at the right moment."
The combination of requiring the right device, a face match and a blink at the right time should prove to be far more accurate and secure than a password, thumbprint or other single fingerprint, Bowyer said.
But USAA is also allowing voice recognition, in part for circumstances like driving a car, when taking a photo would be inconvenient. The program asks members to read a short phrase out loud.
"This has a couple of advantages over plain, unscripted speaker recognition," said Bowyer. "A recording of your voice would not help someone get in as you, unless they had you saying the right phrase. And it may be possible to pick a phrase that makes matching your enrolled voice sample more accurate."
USAA members can opt to use a PIN, their face or their voice to log in, depending on their circumstances.
"You may be in a low-lighted restaurant where the camera isn't as effective, so you may choose to use your PIN," Swenson said. "Or if you're alone somewhere you might choose to use voice."
USAA says 94% of its members' biometric logins are successful on the first attempt and 100% on subsequent attempts. If a face recognition attempt doesn't register a match, perhaps because of lighting conditions, the app immediately lets the customer choose voice or PIN.
Age, Disguise Defying
One concern that often crops up with facial recognition is that someone could change their hair style, grow a beard, change their glasses, or wear a scarf that covers part of their face.
Swenson said USAA's technology analyzes facial bone structure and dimensions, allowing it to see through such alterations.
"Just before Christmas I enrolled myself in the biometrics, and over the holidays I grew a beard and mustache and started wearing my glasses, and I'm still using the same original biometric signature," he said.
"When I put my glasses and beard on, some of my friends don't recognize me, but our technology does," he said.
A scarf could change the success rate, he acknowledged. Bowyer suspects tinted glasses would also be a problem.
"If you wore sunglasses that made it impossible to see if your eye had blinked when you were asked to blink, I don't see how the system could recognize you," he said. "If you wear one brand of clear glasses one time, and a different brand another time, it probably can still recognize you, but likely not with the same level of accuracy."
In USAA's tests, even physical aging doesn't throw off the facial recognition technology. Swenson said it recognized his grandfather by matching a current photo against a picture taken when he was seven years old.
"I was amazed at how it was able to understand the facial structure that related to him at such a young age was still applicable at a different age," Swenson said.
Why Past Biometrics Pilots Have Failed
James Wayman, a professor at San Jose State University who has served as a biometrics consultant to several large credit card companies, noted that this industry has been toying with biometric authentication for 50 years.
"American Banker has been writing about biometrics since the 60s," he said. "I have articles from there that go all the way back." (Here's just one example from more than a decade ago.)
One historical challenge of biometrics is that people have ignored it, he said. "Apple came out with a computer, Lisa, with a built-in login device using voice, about 10 years ago, and nobody used it."
There's a tradeoff between security and convenience, and consumers often opt for convenience, especially where they don't see any personal risk.
"There has historically been a perception that biometrics creates friction but provides security," Grissen said. "The big difference with these large scale deployments is biometrics are quicker and easier than password or PIN."
Another sticking point for biometrics has been false negatives.
"If the false negative rate is 1%, that means 1% of the population doesn't get in at all," Wayman said. "I tried to use voice recognition on a smart phone in a train station once. That was a complete disaster."
While the technology behind voice and facial recognition has come a long way the human-read voice prints of World War II that were used to determine whether Hitler was still alive have evolved into sophisticated computer algorithms the ultimate test of accuracy for biometrics does not yet exist. Attempts have been made to develop methods for measuring biometric security, and a couple of ISO standards do exist.
"But it takes so long to test them that these systems aren't commercially available by the time you get the tests completed," Wayman said.
Will USAA Members Like It?
It is hard to tell whether USAA's blend of biometric options will prove popular with a broad range of users, Bowyer said.
"Will people like the idea of accessing their account by looking at the camera, blinking when told to blink, and speaking a phrase that they are told to speak?" he said. "It seems plausible to me that people will find this to be a usable, or maybe even a 'fun' interface. And it may give some level of confidence because it lets you 'feel' the security features. But it is always possible, as with introducing any new technology, that there will be some unanticipated element that people don't like."
But users might find the feature annoying if they had a cold and were wearing glasses that automatically darkened on a sunny day.
"And then I have to take my glasses off because it can't see me blink otherwise, but that makes it harder to read the phrase that I should speak, and my voice is rough because of my cold, and because of an odd combination of factors, I have trouble using the system," Bowyer said.
Wayman also wonders how popular this will prove to be.
"I use a pretty strong password for my online banking," he said. "If they gave me the choice of changing over to my voice or face, would that be more convenient? I don't know. If I have to blink when they tell me to blink, when I have to make sure the cell phone is not facing into the sun, that I'm not overly backlit, I have to make sure I'm in a fairly quiet environment so that the voice system works. We'll have to see what percentage of people suddenly go back to using a PIN."