Why Your Body Is Important to Banking
Pick a complex password — full of numbers, symbols, letters that form no discernible words, etc. — and you'll find yourself scrambling to remember it at every login. Pick a simple password – your dog’s name, your alma mater, the word "Password," – and you'll leave yourself vulnerable to crafty hackers.
Fortunately, there's another way to log in to sensitive accounts that doesn't hinge on the reliability of your memory. Biometric authentication uses a person’s physical characteristics to verify his or her identity and keep fraudsters out of important accounts. In recent years, financial institutions, long a target of greedy hackers, have embraced varying forms of biometric authentication. Here's a look at four types used by leading banks and how they work.
Fingerprint scanning technology has been around for decades, but it was only in the last few years that banks began adopting fingerprint authentication for mobile banking. Why? Mobile phone manufacturers and software developers deserve much of the credit, said Hari Gopalkrishnan, the managing director of client facing platforms technology at Bank of America. Gopalkrishnan said that Bank of America rolled out its fingerprint sign-in feature after many customers had already grown accustomed to using fingerprint scanning technology on their mobile phones. Companies like Apple and Google, "trained users to press their fingers on their iPhones and Android devices and log into many platforms," Gopalkrishnan said. "We're leveraging customer behavior as it's being shaped by the broader ecosystem."
Proponents of fingerprint sign-ins tout a specific security feature: users' own phones match their fingerprints at each log-in, meaning that customers need not worry about having their biometric information stolen by cyberthiefs hacking into some central database. "The biometric information is never leaving the phone," Gopalkrishnan said. But the bank does have additional security measures in place: especially sensitive transactions, such as a request to change an address associated with an account, may require customers to enter a specific code, for instance. The bank may also request additional information when the customer is using a brand new phone.
Some banks, including many in Brazil, have also adopted fingerprint scanning for ATM use, eliminating the need for ATM cards.
Why stop at the eyes when your phone can recognize your entire face?
Science fiction films like 2002's Minority Report may have helped shape public perception – or at least, the public's imagination – of eye biometrics, but banks didn't quite take to the vision until much more recently with tech released by the software startup EyeVerify. Older forms of eye authentication, namely those that focus on a person’s retina or iris, require special hardware. EyeVerify's software, however, works with a mobile phone's own camera to map blood vessel patterns and other so-called microfeatures in the whites of a user’s eye.
"We just use the existing front-facing camera on your mobile devices. That is sufficient for us to take a selfie and pattern-match the vasculature in the eye," said EyeVerify marketing manager Kevin Schulte. The tech takes less than a second to work and, as with fingerprint scanning, the verification of the "eyeprint" happens on the mobile phone itself. EyeVerify counts more than a dozen financial institutions as customers, including Wells Fargo, which included EyeVerify in the bank’s accelerator program and rolled out the firm’s technology to customers last year.
Why stop at the eyes when your phone can recognize your entire face? USAA, the bank and insurer for military families, offers its mobile customers facial recognition — in addition to fingerprint and voice recognition— as a login option. Upon enrollment, the tech employed by USAA uses a smartphone's front-facing camera to "look" at your face for a few seconds and detect characteristics such as the distance between your eyes and the geometry of your nose. "It's creating a mathematical representation of your face," said Richard Davey, lead security advisor at USAA. "When you log on, it's running the same calculations again and comparing against what was enrolled."
Davey said the facial recognition technology used by USAA can work in bad lighting, when the user is blinking, or when a user who doesn't normally wear glasses puts on a pair. (He acknowledged, however, that the tech isn't perfect and, as with fingerprint scanning, it may take more than one try for facial recognition to succeed when a user attempts to log in.) USAA pairs its facial recognition feature, along with its other biometric authentication options, with an additional security layer — a frequently-changing, six-digit token code associated with a user's phone that the bank automatically verifies as mobile user logs into his or her account.
What makes a person's voice special? It's more than you might think — so much, in fact, that it's enough to create yet another secure form of biometric authentication. Voice biometric authentication technology used by Citi, for instance, combines 130 different characteristics, such as a person's rate of speech and how she pronounces certain vowel sounds, to craft an individual "voice print" for each user. The tech, which launched in the US for credit card users in 2015 and in Asia for consumer banking customers the following year, can even detect differences in voices between identical twins, said Erica Stone, a senior vice president and project group manager of global operating function at Citi. "We've had twins say, 'My mom can't tell which one of us is talking, but the voice biometric system can tell the difference.'"
Citi uses voice authentication to verify customers who call its contact centers. After a customer enrolls in the program, her voice is automatically authenticated in each subsequent call. No specific phrases are required for voice authentication to work; voice prints can be matched in under 15 seconds as a customer explains the reason for her call, leading to a smoother customer service experience, Citi officials say. "We wanted it to be seamless," Stone said.
Citi's voice biometrics program, through its use of normal conversation, is an example of what's known as passive voice authentication. The alternative is active voice authentication, which requires users to utter specific phrases to have their voices matched. Active voice authentication is offered by USAA, whose customers record a couple of sentences — "My identity is secure because my voice is my passport. Verify me." — and use them to log into their accounts through their mobile devices. "The system learns to tell the difference between people's voices," said USAA's Davey, "because they're all saying the same thing."
As banks have rolled out biometric authentication options, their customers have been fairly quick to take advantage of them. Citi enrolled one million customers in its voice authentication program in Asia in under a year, while USAA, which introduced biometrics options in late 2014, says that some two million of its mobile banking customers now regularly use biometrics features to log in.
Biometrics, said Davey, achieve a key balance between security and convenience. If adoption rates are any indicator, apparently plenty of banking customers agree.
As head of client solutions for State Street’s Performance & Analytics business, Dax Johnson is responsible for product adoption, thought leadership, and business development activities. His team works with clients and prospects to understand their investment analytics needs, share best practices, and identify ways to best leverage State Street’s solutions. Dax is always on the lookout for a new travel destination to explore with his family.