Banks are starting to question just how effective passwords really are at protecting their customers’ accounts. Customers also increasingly view passwords as outdated and insecure, particularly for use on mobile devices.
Tech pundits have speculated that biometrics will soon replace use of passwords on mobile devices and that the financial industry will be the leading the transition.
Why banking? Most importantly: why mobile biometrics?
The Problem with Passwords
Login credentials get stolen all of the time. The 2017 Verizon Data Breach Investigations Report (DBIR) found that in 2016, 81 percent of data breaches were due to hackers who leveraged either stolen or weak passwords.
Think of it this way: according to Dashlane, the average U.S. consumer has 130 accounts associated with one email address. That’s a lot of passwords to remember. That’s why many people use the same credentials across multiple accounts. Which means if a hacker steals the username and password for one account, he or she will have a better chance of hacking other services.
Customer service leaders are well aware that following login credential best practices doesn’t necessarily correlate with a good user experience: it’s not really convenient to change an online banking password every 30 days, especially when those passwords have to be 10 characters long and include non-alphanumeric characters.
iovation, a company that specializes in authentication technology, surveyed 1,100 consumers on what they thought of online and mobile banking experiences. The researchers interviewed people across four generations: millennials, generation X, baby boomers and seniors.
The majority of respondents (85 percent) didn’t feel confident in passwords’ ability to protect their account information, but many were open to the idea of using alternative authentication methods.
Most millennials (85 percent) believed fingerprint scanning was the most effective way to securely access their bank accounts. Generation Xers weren’t far behind – 75 percent said they’d rather use fingerprint scanning than usernames and passwords. Even 76 percent of baby boomers said fingerprint biometrics are a better choice than traditional credentials.
The Convenience of Mobile Biometrics
By 2022, the mobile biometrics market will be worth $49.33 billion, according to a report from MarketsandMarkets. When you consider how accessible biometrics technology is nowadays, the research firm’s conclusions aren’t that surprising.
A big reason for their popularity is that biometrics are so convenient. They don’t need to be remembered, they are always with us…our face, our fingerprint, our voice, even our eyes. One can imagine that in the near future, securely accessing devices and websites will require almost no effort.
Enterprises can also integrate fingerprint and facial recognition into their operations through Biometrics-as-a-Service subscriptions available through web APIs. Instead of hiring a team of developers, expanding server resources and installing “big data” ecosystems capable of managing biometric information, banks can access a web service that allows them to access those resources.
Why Biometrics Are More Secure Than Passwords
Biometrics are powerful because while they’re not “secret” like passwords, they can’t simply be ‘typed’ by a fraudster like passwords, they are extremely difficult to recreate.
Biometrics add an additional barrier to other security mechanisms, enabling “multi-factor authentication”. Their use requires physical presence of the individual to authenticate, and biometrics can be “bound” to the mobile device or PC so that the user may only collect biometrics on a particular device to authenticate.
This is not the case with passwords. Fraudsters can employ phishing attacks, where they masquerade as a customer service representative or send an email asking someone to disclose his or her login information. In contrast, you can’t ask someone to disclose his or her biometric data, because it’s not something he or she could give away.
Facial recognition is a popular biometric modality largely because it is so convenient. The performance of facial recognition is improving exponentially because of the vast troves of data that can be used to train the algorithms. But that ubiquity of digital facial images also creates a security challenge, because fraudsters can potentially use selfies of their victim easily found on the internet to impersonate them. For this reason, using facial recognition for authentication requires “liveness detection” that makes this type of “spoofing” attack much more difficult.
As for storing biometric data, there are methods for biometric authentication that do not require central storage of biometric data. A standard for device-based authentication is called FIDO, and it’s gaining broad adoption. For a server-based approach, authentication platforms apply a variety of security mechanisms to help ensure that data isn’t compromised.