Fingerprints, voice recognition, iris scans and selfies — these are just some of the ways banks and card issuers are increasing account security beyond the age-old password.
In fact, a handful of banks aim to phase out passwords altogether over the next few years with the help of biometric authentication. In 2004, Bill Gates predicted that passwords would be replaced by other technology. In 2017, that appears to be starting to happen.
With identification tools like these, who needs passwords?
Bank of America and Wells Fargo are among a growing number of U.S. banks using fingerprint verification, and in April 2017, Mastercard unveiled a credit card with fingerprint authentication that it’s been testing at stores in South Africa.
Wells Fargo introduced Touch ID for its iOS mobile banking app about a year ago and began rolling out fingerprint sign-in for Android this spring. Bank of America has offered fingerprint sign-in for mobile banking customers on iOS and Android since 2015.
Both banks say about a third of mobile banking customers have enabled fingerprint identification, which may be attributed at least in part to the fact that many smartphone users are already comfortable using a touch to unlock their phone.
In the Mastercard fingerprint authentication test, which follows a rollout in Europe of selfies for cardholder identification, a cardholder’s fingerprint is converted to an encrypted digital template that’s stored on the card.
How it works: When paying in stores, a customer with a biometric card places his or her finger on the embedded sensor. The fingerprint is compared to the template. If the biometrics match, the cardholder’s purchase is authenticated.
For customers, the card never leaves his or her hand, and a future version of the Mastercard will include contactless technology to speed checkout. For issuers, Mastercard says the technology helps detect and prevent fraud and reduces operational costs (the biometric card works with existing EMV card terminals).
At Wells Fargo, in addition to fingerprints, voice verification helps to streamline calls to customer service.
“Every meaningful customer interaction starts with authentication,” says Adam Vancini, head of operations for Wells Fargo virtual channels. “The core things we focus on is making it simple for the customer and secure for the customer.” (Bank of America has done voice biometrics pilots.)
Voice verification (in which a customer says “My voice is my password; please verify me”) not only prevents criminals from impersonating bank customers, but it also helps customers get the answers they need more quickly.
Voice verification is not foolproof, though. In May, a BBC reporter and his twin managed to fool HSBC’s Voice IDauthentication service. It took eight attempts by the reporter to mimic his brother’s voice to pass the security check, though. Once he passed the voice test, the reporter was able to review recent transactions, check his brother’s balance and move money between accounts.
Security experts say any biometric system can be hacked, but fingerprints, voice prints, iris scans and other personal characteristics are harder to crack than a password.
Another recent development at Wells Fargo: eye prints to authenticate commercial banking customers on the mobile app. Using Eyeprint ID software, the camera phone takes an image of the user’s eye, converts veins and other details into digital code and matches it against the code on file.
“We’re waiting to see how the adoption of that works and how comfortable customers get with that,” Vancini says.
The end of the password?
Using a variety of methods, Wells Fargo has an “aspirational goal of eradicating passwords” and personal details like one’s Social Security number or debit card number or account number to access accounts, Vancini says.
U.S. Bank has a similar goal of 86-ing the password. Over the next few years, its online banking and mobile customers will get higher-tech options for verification.
“We will have a customer control panel in mobile banking this year that will allow customers to choose something other than challenge questions as their step-up authentication,” Jason Witty, chief information security officer at the bank, said in an emailed statement.
“Over the next couple of years, we will also allow them to self-select something other than password authorization for their login,” He said. Facial recognition is one option U.S. Bank is exploring.
It’s no surprise bank customers want to ditch the password. A 2016 survey by Gigya found that more than half (52 percent) of the 4,000 consumers surveyed in the U.S. and U.K. would choose anything but the typical username and password for account registration if presented with other options.
Bank of America’s Hari Gopalkrishnan, managing director, client facing platforms technology, says the use of fingerprint verification grew out of customer requests for a fast, frictionless way to check their balances or make payments on the app.
“Customers no longer want to come to our website once a month,” he says. “They want to check 10, 15 times a day.”
Then as customers transition from the mobile app to calling customer support, “we authenticate you seamlessly,” Gopalkrishnan adds. “The first question isn’t ‘who are you and what’s your mother’s maiden name?'”
In addition to verifying customers’ identities through fingerprint scans, Gopalkrishnan says the bank also has technology working on the back-end to understand who is holding the device, if it might be stolen or jailbroken or if the app identifies a login from a new place.
Two-factor and multi-factor authentication
The rollout of biometrics by banks and card issuers ties into a broader push toward two-factor authentication or multi-factor authentication, which requires two items such as a piece of knowledge (a password or PIN), a physical object such as a credit card or unique identifier such as an iris scan or fingerprint. In other words, something you know, something you have or something you are.
In New York state, new cybersecurity laws that went into effect March 1, 2017, require banks, insurance companies and other financial institutions that are regulated by the New York Department of Financial Services use multi-factor authentication to guard against unauthorized access.
Quontic Bank, which operates in Florida, Indiana, Virginia and New York, is implementing fingerprint identification for users of its iOS banking app. The bank began working on this transition last August, long before the New York state cybersecurity regulation took effect.
“We found this is a secure way, probably even more than a password, to gain access to your accounts because of your fingerprint being unique to you,” says Drew Sandholm, marketing director for Quontic Bank. “It’s not something someone can phish. We’re really excited about the possibility of getting into biometric identification via your retina.”
Exciting indeed. The biometrics identification possibilities — the James Bond-esque tools and devices that Bill Gates predicted would be the death of the password over a decade ago — are becoming the norm at big banks, and even smaller ones like Quontic.
For banks and credit card issuers, the challenge, as they roll out new biometrics features, is ensuring customer convenience and security. “Security always wins, but we think we can do a good job of balancing the two,” says Bank of America’s Gopalkrishnan.
Editor’s note: This story, “Abolish the password? Card issuers are working on that” originally was posted on CreditCards.com.