Sorting out the authentication mess for omnichannel banking
Rizwan Khalfan thinks accessing his bank account ought to be like getting into the Acura MDX he shares with his wife.
"I expect it to recognize me," said Khalfan, who is the chief digital officer at TD Bank Group. "I don't have to give a password. When I insert the key, it knows I'm the driver and it adjusts everything from the seat settings to the mirrors to the side mirrors to the temperature."
TD Bank is hoping to create a similar experience — personalized and persistent authentication across all its channels — using technology from Transmit Security, a startup that officially launched Wednesday.
"The world we live in is a connected world, and whether it's in the physical or digital, I don't want to be continuously authenticating myself," Khalfan said. "I have an expectation [that] the service will recognize who I am and my identity and true authentication will be persistent as I go from one aspect of my life to another."
[Digital identity is broken, and fixes are urgently needed. Learn how large financial service and healthcare companies are tackling the issue — to enhance customer experience, to stake out positions in their business ecosystems, and to manage risk — on our Feb. 23 web seminar. Click here for details.]
Transmit is providing a platform that lets banks plug authenticators of all kinds — from various types of biometrics to one-time passwords — into their various delivery channels. The startup vets and tests all the point solutions, from vendors like Nuance, Daon and Pindrop. It also handles the integration and provides the bank a console for managing authentication. Fellow startup HYPR as well as Visa are working on similar platforms.
This removes a pain point for the financial institutions that have been offering biometrics in a one-off manner.
"Over time, we've been building these point solutions," Khalfan said. "In the call center you might use voice recognition. If they use a mobile device you ask for a password, challenge questions, TouchID. If they have a face-to-face interaction, they dip their card. All these point solutions are becoming difficult to manage, and the experience you're delivering to a customer is not seamless."
Transmit is betting that a platform that untangles the web of solutions and channels will be attractive. The company's founders, Mickey Boodaei and Rakesh Loonkar, previously created online banking security company Trusteer, which was acquired by IBM in 2013. They are funding the business with their own money, $20 million each. The founders are also hoping banks will be drawn to a platform in which biometric solutions have already been integrated.
"The biggest enterprises spend hundreds of millions of dollars a year on developers that are tying all this stuff together," said Rakesh Loonkar, president and co-founder of Transmit . "They enter the software development cycle every time they want to add an identity feature in a channel, and it can take 6-18 months. Whenever they implement these new tools, they have to tie everything together with success and failure logic and they have to make it all work based on the ideal user experience."
Such platforms could also help overcome the fact that each type of biometric has its own finicky vulnerabilities: Voice recognition doesn't work in noisy environments, facial recognition doesn't work in dark places, and for many people, their fingerprints can't be read at all due to years of physical labor or playing a musical instrument. Omnichannel authentication platforms let banks offer several backup options in the event the first biometric doesn't work.
The technology is also intended give customers a better experience. They can choose the type of login they prefer — one person might want to use a selfie, another fingerprint — and make that the way they contact their bank every time, no matter what channel they use.
"Offering customers the ability to use a variety of biometric modalities allows them to use solutions that they are most comfortable with and it limits access challenges related to the environment and customer," said Al Pascual, senior vice president, research director and head of fraud and security at Javelin Strategy and Research. "And having all of this available from a single vendor means less complexity on the back end."
TD Bank has already integrated its call center and mobile app logins through Transmit, so a customer in an authenticated session on a mobile device can tap a button to speak with an advisor without having to re-authenticate.
Using Transmit's authentication engine, which is based on application program interfaces, the bank will plug in additional biometrics it considers best in class. The bank plans to roll out new biometric authentication methods channel by channel throughout 2017.
"We're thinking of making the one-time password one of the next capabilities," Khalfan said.
The bank also plans to rewire biometrics it currently uses, such as voice recognition for its wealth management customers, into the Transmit platform.
Not everyone has jumped on this bandwagon yet.
For instance, USAA, which has been a pioneer in biometrics, does not offer biometric authentication across multiple channels.
"Biometrics is the primary authenticator of choice in our mobile app," said Gary McAlum, chief security officer at USAA. In other channels, it provides SMS, token and email authentication. "While we are not opposed to the idea of using biometrics across multiple channels, it is important that the experience and functionality meet the high expectation that our members have for us."
There are a few things banks should look out for as they assess these solutions.
One is to make sure the performance of each underlying biometric technology is reliable. It will reflect badly on a bank if a biometric doesn't work well, if too many bad actors are accepted, or many legitimate users are misidentified as sketchy.
Transmit has a research team of biometric experts drawn from Israeli military units who help assess each biometric vendor that's added to the platform or that customers are considering.
George Avetisov, CEO and co-founder of HYPR, says his company thoroughly tests the rejection and acceptance rates for each biometric technology it works with, as well as the usability of the biometric sensors. If 8% of users had trouble with a fingerprint sensor, for instance, HYPR wouldn't offer it to its customers, which he says include three of the top ten global banks.
HYPR provides a control panel through which banks can turn various biometrics on and off.
Banks need to risk-weight the outputs of the different biometric solutions, taking into consideration each method's inherent vulnerabilities and known performance capabilities, Pascual noted.
HYPR accommodates this by letting clients set rules: If a customer is logging in from her home IP address and just checking her balance, a fingerprint might be enough. If the customer is logging in from an IP address in China and trying to wire $10,000, the system might require two or three different types of biometric authentication. (The default settings have commonly used logic built in, such as any transaction over $500 might demand two forms of biometrics.)
Loonkar said Transmit lets its customers offer a stronger biometric or offer multiple authenticators at one time, based on what the application owner configures.
Another major consideration is making sure that when a biometric fails, the fallback solution can't be easily spoofed. For instance, if a sensor doesn't recognize my fingerprint and I can type in my PIN instead, and that PIN can be brute-forced, or continually guessed until unlocked, the biometric hasn't done any good.
"The fallback is the challenge right now," said Avetisov. "This is where banks are still trying to figure things out."
Banks tend to default to a PIN, a password or a set of challenge questions.
Identity theft, of course, is a concern for any type of authentication. If the registration process is easy, hackers will figure out a way to attach stolen identity information to their own biometrics, allowing them to easily log in as someone else and/or set up an account in another person's name. Banks will have to figure out the right degree of checks that will prove a user's identity without becoming too time-consuming or cumbersome a process.
The eventual goal is to get rid of passwords completely. This is likely to take years.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.