This month, Bank of America will begin piloting technology from Samsung that lets customers log in to mobile banking by taking a picture of their eye.
The pilot is part of a broader effort to gauge customers' affinity for various forms of biometric authentication, says Michelle Moore, head of digital banking at Bank of America.
“One thing we know we need to work on with our customers is, even in today’s day and age of digital natives, there are questions about safety and security,” she said.
Biometric solutions are part of the answer. The bank is studying what other companies are doing, inside and outside the financial industry, and it’s learning what customers want.
Moore says it is not about chasing the next thing. Introducing new biometrics tools helps to advance the bank in building a digital identity for its customers that will make authentication easy.
“At some point, passwords will be a thing of the past and we need to take friction out of the authentication and verification process,” Moore said. “It’s not just biometrics. It’s really around who you are, the Bank of America customer, what is your digital ID, and no matter which channel you choose to interact with us, you can use that identity to authenticate and let us know you are who you say you are.”
Half of the bank’s mobile app users are using fingerprint authentication, which B of A rolled out in 2015. In addition to the iris scanning pilot, it is exploring the use of facial scanning and voice recognition.
About 1,500 B of A and Samsung employees will test the Samsung technology for about six weeks. Thirty to 35% of Bank of America customers have Samsung phones, Moore said. To make sure the pilot results aren’t biased, people being chosen for the pilot mirror the bank’s customer population.
What the bank is hoping to learn from the Samsung pilot is if customers will use it, if they understand it, if they will find it convenient and easy to use.
“What do they think about the difference between iris scanning and fingerprint scanning? Does it make them more likely to use mobile to log in?" Moore said.
She’s tried it herself and found it “supereasy,” she said.
Still, about half of the app’s users are creatures of habit. “They want to use their online ID and password,” Moore said.
Is iris scanning having a moment?
Eye scanning isn't brand new in banking: Wells Fargo has been testing it in commercial banking with EyeVerify, which is now owned by Ant Financial, for more than a year. But where EyeVerify analyzes each person's unique pattern of eye veins to verify their identity, the Samsung technology measures the customer's iris, which requires an infrared camera. Samsung is the only phone manufacturer that embeds this type of camera in some of its phones.
The British bank TSB recently announced plans to roll out iris scanning technology for its mobile banking app in September, also with Samsung. But few, if any, U.S. banks have tried this.
So, getting a large bank like Bank of America to sign up for this is a coup for Samsung.
Samsung’s first foray into iris scanning was unfortunately with the Galaxy Note 7.
“No fault of the iris scanning technology, the Note 7 did not fare well,” said Al Pascual, senior vice president and research director at Javelin Strategy & Research. Iris recognition “got buried in the story of exploding batteries.”
Samsung declined requests for an interview.
EyeLock, which also offers iris authentication technology, works with internet-of-things devices and signed a deal with chipmaker Qualcomm last week.
Jeff Carter, EyeLock’s chief technology officer, said he expects that infrared cameras are coming, by the billions.
In studies Javelin has conducted, consumers score eye scanning high in perceived effectiveness and as something they would be willing to use.
“People are really familiar with how fingerprints work. Right behind fingerprints are eye scanning technologies,” Pascual said. “They’re quite a bit ahead of facial recognition and way beyond, as far as consumer perception is concerned, voice recognition. It’s really a matter of getting the experience right.”
Consumers can easily imagine their voice being recorded and reused, Pascual says.
He sees this as Samsung’s Touch ID moment.
“Apple made tremendous inroads and essentially changed the game when it came to biometrics with Touch ID,” he said. “Samsung is looking for that same kind of opportunity with the iris scanning technology.”
In the past, people have expressed "Minority Report"-style fears that iris scans could be stolen and repurposed.
“I think those kinds of fears rest more with the pundits than with actual consumers,” Pascual said.
The Chaos Computer Club recently demonstrated in a video that iris scanning technology is not spoof-proof. The group showed it can fake out an iris recognition system with a contact lens placed over a photo of an eye.
Pascual said that even if it is possible to breach, criminals are likely more interested in easier gets.
“When criminals can steal or guess for free millions of usernames and passwords and compromised bank accounts from the leisure of their living room or their office, going out and stealing someone’s device and then going through this elaborate process to recreate an iris is just not practical,” he said. “The ROI isn’t there.”
Moore added that Bank of America isn’t using biometrics as the only authenticator.
“There are other security measures in addition to authenticating yourself with your thumbprint and your iris,” she said. “We have device fingerprinting. We know who you are, the last time you logged in, there’s a lot of security behind that initial authentication setup. We have to spend our time educating customers in the entire end-to-end way we protect you.”
Growing range of biometric options
The myriad forms of biometric authentication are a blessing and a curse, Pascual observed.
“There’s all this great technology coming out at a pretty regular pace to better authenticate customers, but from a bank’s perspective, how do you manage that complexity?” he said.
Effectively managing risk, integrating the technologies and using them creates cost and complexity.
“You have the head of digital saying, ‘I love this, this is wonderful, I saw this on this new app I downloaded, why can’t we do this?’ ” Pascual said. “The fraud and security teams love bringing down fraud and improving security, but at the same time using a platform that was never designed to accommodate it doesn’t fit in with the risk-based authentication, so they have to redesign their rules and figure out how to roll it out over time.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.