'Everything is breakable': Why BBVA wants to ditch passwords
Like banks everywhere, BBVA has struggled to strike the right balance between security and convenience. The bank's cybersecurity chief says it might have found the equalizer it has been looking for.
“The authentication process is always a risky process from a bank’s perspective,” said Juan Francisco Losa, BBVA’s global head of security architecture. “We need to ensure the identity of the person that is accessing our services and provide our clients with good service. So we are investing a lot around authentication processes.”
The bank said Tuesday that it has signed an agreement with Nok Nok Labs, vendor of an authentication platform that is compatible with a standard called FIDO (Fast Identity Online). Nok Nok Labs was the original driver behind the standard; today there are nearly 700 FIDO-compatible products including device, fingerprint, voice and facial recognition. Nok Nok says its platform can work with all of them.
“BBVA is trying to provide frictionless, password-less environments for accessing the bank and using banking applications,” said Phil Dunkelberger, president and CEO of Nok Nok Labs.
Such investments “are core in our relationship with our clients, especially with the threat of identity impersonation fraud,” Losa said. Ideally, the technology should make BBVA’s digital channels more secure and easier to use at the same time.
“It’s a constant trade-off between usability and security controls,” Losa said. The bank perpetually analyzes its performance in the areas of customer experience and security.
Losa declined to say how much the bank is spending on the project and which forms of authentication the bank is deploying. Some components could be up and running within a month, he said. BBVA already uses facial, fingerprint, and iris recognition in some countries.
“We don't believe that there's one single mechanism that we can say this is the appropriate one,” Losa said. “It always depends on the channel, and security threats evolve constantly.”
BBVA has been tracking the progress of the FIDO Alliance for the past four years, Losa said.
“We believed this was the moment to move forward and commit to this standard — we feel this is becoming a de facto standard for online authentication,” he said. “Embracing these capabilities will help us to integrate in the ecosystem around online authentication.”
Getting past the password
Some banks in the U.S. have found biometric authentication limited, because if a user’s face or fingerprint does not work for some reason, the user can default back to a password, which leaves the bank with the same problem it started with — that passwords can be guessed, stolen or cracked by high-speed software.
FIDO technology does not default to a password, according to Dunkelberger. It creates a private key that is stored on the user’s device and at the time of authentication requires it to be paired with a public key before the device can be unlocked. The user’s device also stores the knowledge of the type of biometric a user signed up with, such as facial recognition, and requests it.
“There is no shared secret like a password on your device — it's all based in on public-private key challenges,” Dunkelberger said.
Losa noted that BBVA will want to be flexible and adapt its methods of authentication with the times and with the risk level of a transaction.
“There's no silver bullet for doing those things,” Losa said. “We don't rely on that one single factor of authentication to reach the levels that BBVA wants to effect in our risk score. Cybersecurity risk analysts, from an authentication and a fraud perspective, need to make the decisions and trade-offs in every single process and revisit that with data constantly. In cybersecurity, nothing is perfect, everything is breakable. So a combination of factors, and revisiting those decisions constantly, is the way to go from our perspective.”
Using Nok Nok’s technology, Dunkelberger said, banks can keep the same risk systems behind the scenes, yet offer customers newer authentication mechanisms like facial recognition; the Nok Nok platform takes care of the communication between the two.
Identity impersonation and account takeover are high on Losa’s list of fraud concerns.
“Ensuring that our digital processes happen in a secure way, that's our obsession,” he said.