Moving From Passwords to Biometric Banking
As digital transformation continues across all industries, the need for an increasing number of passwords is becoming problematic. Financial institutions need to investigate acceptable alternatives that balance security and simplicity.
For financial institutions, one of the primary goals of digitization is to improve the simplicity of banking. In an effort to improve the user experience, one of the stumbling blocks has been the password authentication process needed to access mobile banking. Combining the need to improve the security of accessing accounts due to increased data breaches, with a desire for greater ease of use, is a difficult balancing act.
At the root of the problem is that the more services we use, the more passwords we’re forced to remember. It’s not the passwords themselves that are the problem, it is the scale at which people have to manage and remember usernames and passwords. It’s simply too much. In fact, it is expected that within five years consumers will have, on average, over 200 accounts requiring passwords.
Managing an increasing number of passwords is becoming a challenge for almost all digital consumers. In response, consumers have taken a number of different paths.
- Using the same passwords for all accounts. Obviously the worst of all options due to the “domino effect,” allowing all accounts with the same password to be breached.
- Using different password variations. This combines a perceived increased level of security with a relative ease of use.
- Using technology to generate or save strong passwords. The most secure of the options, but the most cumbersome from the user perspective.
According to a research study done by Telesign, 73% of adults in the US and UK use the same password for everything. In addition, more than half of consumers (54%) use five or fewer passwords across their entire online life, while 22% use just three or fewer. Finally, almost half (47%) of consumers rely on a password that hasn’t been changed for five years.
The problem is that even with the best of systems, password authentication doesn’t scale well. The more digital services a consumer uses (even beyond banking), the more passwords they’re forced to remember. Even if only a few passwords are used with slight variations, it is difficult to keep up with which account goes with which variation. The result is the tedious “forgotten password” function, which often requires the creation of an additional password.
The response by banks and credit unions should not be to relax password standards. So what are our real options to safely and securely authenticate people and protect their sensitive information? There are an increasing number of options being introduced every day (as witnessed in recent Finovate events). Here are some of the options we have today (thanks to Drew Thomas writing for Smashing Magazine).
- Traditional Username/Password. The most understood and trusted method for most people, this also tends to be the least secure because of how people create and remember passwords. In addition, when a password is forgotten, the process of recovering a forgotten password is often not user friendly.
- Passphrase. Passphrases are both more secure than passwords and they’re easier to remember. The challenge is that more typing is required which can be difficult on a mobile device. Simple has used passphrases since the mobile bank’s inception.
- Two-Factor Authentication. In this option, after a username/password combination is verified, a unique code or URL is either emailed or texted to the person trying to sign in. Google uses this option which works as long as the consumer’s phone is nearby.
- Social Sign-In. Uses a third-party service or app with Facebook, LinkedIn or Twitter. While simple to use, the user needs to have a social media account, trust social media and not work in an environment that may block social media sites.
- Passwordless. The person signing in only has to remember their username, email or phone number, and they receive a unique code to complete the sign-in, with no password needed. The code sent expires quickly or after use.
- Biometric. The use of fingerprints, retina scans, facial recognition, voice recognition and more is where authentication seems to be heading. The most common example is Apple’s Touch ID. While the majority of progress in this space is with mobile devices, hardware for computer use, etc. is catching up.
- Connected Devices. This uses a pre-established Bluetooth (or similar) connection from one device to another that has already authenticated someone. For instance, using your phone to authenticate use of computer online banking.
No matter what process is used, we need to reduce friction in the sign-in process. While there are a number of options in theory, nothing has established itself as the new standard for digital security. The key is that people want to feel secure while signing in, and they need to know that their information is secure. If we push authentication too far, users won’t trust it.
The Move to Biometrics
Paul Lee, head of technology, media and telecoms research at Deloitte, said that using fingerprints to access email, online banking, streaming services such as Spotify and Netflix, and newspaper subscriptions would help consumers overwhelmed by the number of passwords they have to remember. “You can share a password but not a fingerprint,” said Mr Lee.
In the report, A World Beyond Passwords, Deloitte said that while fingerprints had taken a long time to gain traction, the technology had taken off during the past three years. The company interviewed 4,000 people and said that 31% of 18-24 year olds were using the fingerprint scanners on their phones, compared with 8% of those aged over 65. Deloitte predicts there will be one billion smartphones with fingerprint readers in use by the end of 2017 and that the technology will spread to cheaper models.
Big banks increasingly are offering customers the option of using fingerprints, voices, retina scans and other biometric technologies to access their accounts instead of passwords. Convenience for consumers and better security in a time of rampant data breaches are fueling the switch.
Biometric authentication is “difficult to mimic and easy for people to use,” said Tom Trebilcock, senior vice president of digital at Pittsburgh-based PNC Bank, where customers with Apple iPhones equipped with Touch ID have the option of ditching passwords for fingerprints. “Looking out years from now, I expect the days for passwords are numbered,” he said.
While PNC offers fingerprint access to mobile banking customers to check balances and perform most other mobile banking transactions, they must use passwords when transferring money out of their accounts, such as when paying bills. Some banks are also employing geolocation tracking combined with biometric security. If an account holder’s phone is out of its normal range, a password is needed to access the account.
Even biometric technologies are not failsafe – many are difficult to spoof but are not spoof-proof. Having multiple, cascaded gatekeepers fortifies security by requiring additional checkpoints. The more different proofs of identity required through separate routes, the more difficult it is for a thief to steal a consumer’s identity or to impersonate them. Likewise, consumer platforms are paving the way by providing improved user experience by empowering consumers to choose how they access digital information.
According to Deloitte, one of the most intriguing possibilities in new access controls is risk-based authorization, a dynamic system which grants access depending on the trustworthiness of the user requesting admission and the sensitivity of the information under protection. This option uses machine learning to authenticate users based on multiple assessments of their behavior. Using sensors such as the camera, accelerometer, and GPS functions, smartphones can gather a wide range of information about users, including typical facial expressions, their habitual geolocations, and how they type, walk, and talk.
Together, these factors are 10 times safer than fingerprints and 100 times safer than four-digit PINs, says Deloitte. With such capabilities, a user’s phone, or another device, can constantly calculate a trust score – a level of confidence – that the user is who he claims to be.
An Important Step in Digital Transformation
Technological advances are giving financial services organizations the opportunity to begin moving beyond passwords. Given the poor user experience associated with passwords, rising costs, and the security weaknesses, banks and credit unions should look into migrating to new digital authentication systems that meet the twin objectives of tightening protection and improving user experience.
According to Deloitte, “Organizations can begin their journey by starting to invest in non-password-based authentication solutions now as part of their digital transformation efforts, such as the rapid adoption of software-as-a-service platforms and omnichannel customer engagement initiatives. These new solution areas can serve as the foundation for broader enterprise authentication initiatives, which may take time.”
While passwords may continue to be the standard for some time given legacy platform constraints and technology limitations, the integration of non-password authentication options should be part of every organization’s strategic priorities before another major breach forces the industry to act unilaterally.
via The Financial Brand http://ift.tt/HrsR9d
October 3, 2016 at 02:58PM