- Key insight: JPMorganChase is strengthening mobile banking authentication beyond biometrics.
- What's at stake: Account takeover risk, reputational damage and fraud costs for retail banks.
- Supporting data: 75% of new biometric users, and over 50% of existing users, enabled the new feature.
Source: Bullets generated by AI with editorial review
A string of recent robberies via smartphones highlights potential vulnerabilities with facial recognition, with criminals breaking into the victims' phones and emptying their bank accounts.
To combat the risks of such crimes as well as the rising threat of AI deepfakes, JPMorganChase rolled out a new opt-in security feature in September called Extra Security at Sign-In, or ESASI, which gives users the option to require their device PIN as an additional safeguard when signing into the mobile banking app.
"These were cases in New York where bar patrons were incapacitated and the bad actor yanked the phone out of that person's hand, put in front of their face, and then logged into their bank account and sent money via Zelle to themselves," said Goran Loncaric, managing director of product in the customer identity and authentication team at JPMorganChase. "If you're incapacitated and groggy, your eyes are still open and you will pass [Face ID]."
Scammers can successfully unlock a phone through Face ID by taking advantage of the victim's eyes being open, Loncaric said, but requiring a device PIN introduces additional friction. If the person is unconscious, they likely wouldn't be able to provide a device PIN and a thief would struggle to guess it.
ESASI is currently available to iOS users, and the bank plans to make it available to Android users in the next few months. Web banking users have been able to use a similar feature for two years, requiring verification of the device, with the option to add a one-time password at login. Customers who use ESASI for the web are three times less likely to have their accounts taken over by fraudsters, Loncaric said.
Securing consumer banking platforms
A major reason behind the bank's decision to launch the feature — for which it filed a patent earlier this year — is to build customer confidence in biometrics. ESASI is also part of a bigger effort to secure digital banking platforms from fraud risks. For example, the bank is rolling out passkeys, which replace passwords by using a pair of cryptographic keys: a private key stored securely on the customer's device and a public key held by the bank, allowing the customer to authenticate with biometrics or a PIN without ever entering a password.
Passkeys are more secure than passwords because hackers can't steal them from a company's servers: The private key stays on the customer's device and can't be guessed, reused or phished, he explained. Chase has started rolling out passkeys for signing in and resetting passwords, with additional entry points expected soon.
In addition, the bank is working on defensive measures against emerging fraud threats, including AI-driven fraud.
"We are monitoring what's happening with AI — deepfakes, voice fakes, and so on," said Loncaric. "The features we're building extend that thinking into how we defend against, for example, fake voices on incoming calls."
Chase also rolled out a feature called Trusted Contact Person, a tool that allows users to name someone who will receive alerts about high-risk wire transfers, without giving that person access to the account or visibility into balances.
In a
Chase's moves show where the industry is at right now on security best practices, analysts said.
Daniel Garrett, head of digital services at consulting firm CRC-Oyster, said the bank's actions represent a barometer for where the industry is moving.
"We're moving to a passwordless, risk-adaptive and contextual authentication [system]," he said.
Others said ESASI and similar efforts to secure digital banking authentication reflect a broader shift in how banks are responding to growing threats.
"I would probably call it precautionary," said Trace Fooshée, strategic advisor at Datos Insights. Fraud is "impacting a greater and greater number of consumers. I think it's becoming more and more mainstream … that more threats than ever are out there, in making payments and in conducting business online and on the mobile channel."
According to Chase, adoption of ESASI has exceeded expectations, with 75% of new biometric users and more than half of existing ones enabling the extra step, suggesting the added PIN provides another layer of protection without discouraging users at sign-in.
The result is a balance of added security with relatively easy authentication, which helps banks retain customers longer, said Glenn Kurban, a partner at technology consulting company Capco.
