No more Post-its: How one bank said goodbye to passwords
Why should consumers be the only ones freed from the burden of a password?
As more banks turn to biometric solutions to authenticate their customers, some are also looking at it as a way to make it easier for employees to do their jobs.
For instance, West Milton State Bank in Pennsylvania has deployed palm scan technology at workstations in its six branch locations. The move has allowed the bank’s employees to log in quicker and more securely than before, said Bill Weber, vice president of operations and technology.
The technology, from Fiserv, uses palm-vein authentication to grant employees access to any workstation or application. Employees hover their hand above the specially designed mouse and are validated in about a second, Weber said.
“Now they can log in to an application quickly instead of typing out longer passwords, that require using the shift key and typing a combination of numerals and letters,” he said.
The move to biometrics started with a hunt for a different solution. Last year, the $400 million-asset bank was thinking of purchasing password vault software — a program that keeps a number of passwords in a secure digital location and requires a master password to access — after conducting a security audit.
“We found out people were writing down passwords, keeping them on Post-it notes and things like that,” Weber said. “Also, there were too many passwords and it was not as secure as it could be.”
After sitting in on a demo of the Fiserv technology, Weber decided that instead of trying to manage passwords better, the bank should try to eliminate them as much as possible. West Milton was already a core systems customer of Fiserv.
“Rather than purchase software for a [password] vault, we thought this was a perfect fit,” Weber said. “Some employees log in [to different applications] 50 times per day. Over the course of a day this saves a lot of valuable time.”
The bank first implemented the technology in the “high risk” area of finance before moving to other parts of the bank, Weber said. Fiserv had offered this technology to its bank customers for authenticating in-branch transactions, but launched this back-office capability late last year after hearing feedback from banks seeking to create more efficient workflows, said Chris Van der Stad, chief technology officer for Fiserv’s open solutions division.
“From an employee point of view, it makes their jobs easier to interact with clients,” he said, adding that around 50 banks have purchased the technology so far this year.
As biometrics become more common on the consumer side, expect more banks to start implementing it in the back office, said Shirley Inscoe, a senior analyst with Aite Group.
“I’ve heard some pretty incredible numbers on what it costs [for a bank IT staff] to do simple password resets; when you talk about dozens or hundreds it gets pretty expensive,” she said. “Replacing passwords, whether it’s with biometrics or something else, will lead to better operational efficiency. I think the next five to 10 years we’ll see the demise of the username and password.”
Still, Inscoe advised banks to be conscious of employees’ comfort levels before blanket implementing new authentication methods. She said Aite conducted a recent consumer poll on biometrics, and found that while millennials by and large liked using it as an authentication method, older consumers were more comfortable with knowledge-based out-of-wallet authentication.
“You just have to be sensitive with people’s comfort levels,” she said.
Weber said so far there have been no major employee concerns related to the new authentication method. He said the biometrics authentication technology also saves his IT staff time spent on more menial tasks such as password retrieval, and instead can use their time more efficiently.
“For employees, they don’t get locked out anymore; beforehand if they typed in the wrong password three times they would get locked out,” he explained. “Then they would have to contact the IT staff, and they would then have to open someone’s password file, reset passwords. Even if [the IT staff] only spends a few minutes each time doing this, it now saves them that time and they can be working on something else.”
Weber added that biometrics also provide more security against cyberattacks.
Phishing attacks and keylogging attacks are minimized “because there’s no logging of passwords,” he said. After all, for attackers, passwords are ”easy to compromise, and for employees they are hard to remember."