From ‘security or convenience’ to ‘security and convenience’
Financial institutions have taken great strides over the course of decades to make banking more secure and convenient. The goal today is to let customers manage their money intuitively and on their terms, while keeping it safe from fraudsters, hackers, and other bad actors.
Going as far back as the earliest automatic teller systems (ATMs), security and convenience were often at odds. The pioneering ATM was envisioned by a printing engineer named John Shepherd-Barron, according to Smithsonian. He wanted to create a “cash vending machine” that would stay open when his bank was closed. Barclays was taken with the idea, and erected the world’s first ATM on June 1967 at a branch in Enfield, a suburb just outside of London.
Originally, Barclays used PINs to secure their ATMs. An early competitor used magnetic-stripe cards. Both revealed a big shortcoming: “there was no way to really ensure that the user of the token was actually the holder of the account,” Smithsonian wrote.
In 1968, only a year after release, proto-hackers from Sweden stole an authentication token and used it to withdraw large sums of money from various ATMs. This was a small taste of what was to come. Today, banking fraud costs financial institutions and their customers billions of dollars each year.
To mitigate these losses, banks, credit unions, and other financial services firms are shifting their focus away from traditional authentication (PINs, passwords, and magnetic stripes), and toward biometric technology. This is because fingerprint, face, and voice-recognition technologies are much better suited to greater security and convenience for the growing number of channels involved in modern banking—in-person, ATM, online, smartphone, over the phone, chatbot, etc.
In fact, a future in which biometrics supplant passwords, PINs, and even physical payment cards as a primary banking mechanism may not be very far off.
Security first: how biometrics are more secure than passwords, PINs, and payments cards
Biometrics have several distinct advantages over knowledge-based methods such as passwords and PINs, as well as possession-based tokens like traditional bank cards.
Hacker have used phishing scams to pilfer passwords and payment card data with astonishing success. Fake web pages and email messages claiming to be from legitimate financial institutions often trick users into unknowingly handing over sensitive information that can be used in banking fraud. Malware such as keyloggers (which track keystrokes), and trojans that can perform screen capture of online login pages are other common avenues for credential theft.
The massive volume of stolen credentials on the web in general throws fuel on the fire. Many hackers employ a tactic called credential stuffing, whereby they test stolen usernames and passwords on as many online services as possible. This tactic is successful for the sole reason that many of today’s users are inconvenienced by having to create long, complex passwords for every online account.
Even offline, fraudsters use inventive tactics to steal payment data. One scam involves posing as a driver for a rideshare service such as Uber and preying on non-vigilant customers. Scammers pretend to be a person’s driver and charge at the end of the trip with the excuse that the payment system is down, at which point they ask the rider to swipe his or her card, and to enter their PIN.
Skimming is another real-world scam that directly targets bank cards. Hackers will fit false readers over legitimate ATMs or point-of-sale devices that scrape data from a swiped card. These and other schemes underscore the weakness of passwords, as well as the vulnerability of plastic debit and credit cards in general.
But they also highlight the advantage of an authentication token that’s in plain sight. Unlike a string of text or a physical token, biometrics employ detailed physical attributes that are difficult to steal. The characteristics of a face or fingerprint must be presented at the time of a transaction in order to authorize it.
Most biometric modalities also employ liveness detection algorithms that distinguish between a real sample and a digital, printed, or otherwise recreated version of it. This is why, for example, images or videos pulled from social media cannot be used to unlock a facial recognition scan. Active liveness detection entails a prompt such as asking the user blink during a scan, while passive uses algorithms to identify indicators of a non-live sample.
Both methods are enhanced when a second modality, such as voice biometrics or keystroke dynamics, is added to the challenge. This combination of safeguards makes biometric authentication inherently more secure than passwords, PINs, and cards.
Consumers and financial institutions ultimately come out ahead with biometrics. Customers gain peace of mind in knowing that their account details can be kept safe, while banks and credit unions manage their risks more effectively and face fewer potential instances of reimbursement for lost and stolen funds.
Ease-of-use and availability: biometrics offer superior UX
Fingerprint scanning and facial recognition do not require users to remember information or carry a physical token. The steps involved in creating a biometric template are typically intuitive and highly secure, usually employing liveness detection to prevent using a non-live image as a template. Authenticating is even easier. Simple motions such as placing a thumb on a sensor or glancing into a camera can unlock access to banking apps. In the event that one modality cannot be used, for instance, a wet fingerprint sensor, another modality such as face or voice could be used in its place.
This convenience, paired with the availability of fingerprint sensing technology, HD cameras, microphones, and touchscreens on consumer devices, has made biometric authentication more common in recent years.
In 2013, the FIDO Alliance announced its specifications for device-based authentication, and began offering Biometric Component Certification. Financial institutions can now enable users to access their mobile banking app with a biometric authentication challenge.
Alternatively, many companies have opted for a server-centric approach to implementing biometrics across their online and mobile banking apps. This means that the biometric template is stored and processed centrally. Each biometric scan on a device sends the sample to a server to perform a one-to-one match.
Server and device-based authentication each have their pros and cons, but the point is that financial institutions have several deployment options available to them. Furthermore, the commercialization of SDKs, cloud-based matching engines, middleware, and other technologies involved in biometric implementation makes it easier than ever for organizations to leverage biometric authentication in their banking applications.
Biometrics can be used to authenticate banking customers consistently, conveniently, and securely across all channels including web, mobile, ATM, over the phone, web chat, in-person, digital assistants (like Alexa), and more.
Furthermore, the authentication method can vary based on user conditions. Voice recognition might be preferable during a phone call or when interacting with a digital personal assistant, while keystroke dynamics might be ideal for a web-chat session. Face and fingerprint, meanwhile, are well-suited for general login purposes on a laptop or mobile device.
Modern banking and financial services customers expect to be able to securely and conveniently access and control their funds through a channel of their choosing—biometrics make this possible. They also help financial institutions manage risk across multiple channels more effectively.
Besides directly authenticating a mobile app, some innovative examples of omnichannel biometric banking include:
Branch banking and in-store shopping
Biometric out-of-band authentication takes advantage of the ubiquity of smartphones with cameras, touchscreens, sensors, and microphones to give customers the ability to authorize account activity with their face or voice. For context, out-of-band authentication refers to the use of a secondary communication channel for authentication, such as receiving a message with a one-time passcode after attempting to log into an account.
Imagine that someone claiming to be you walks into a local branch and attempts to use forged documents and a stolen identity to make a withdrawal. If you have requested to receive an authentication challenge on your smartphone for all in-person banking activity, then you can help prevent cases of identity theft from leading to account compromise. This is a highly scalable and cost-effective way for financial institutions to implement biometric security at physical branches without having to install hardware at every counter.
Biometrics could ostensibly be used in the more distant future as a means of identity verification for financial institutions. Simply put, biometric enrollment at the time of opening an account would put a literal face or fingerprint to each customer. If an identity thief attempts to open an account under an existing customer’s name, a biometric search would reveal that their face or fingerprint does not match the existing template tied to the biographical records provided.
Biometric authentication also applies to using a debit or credit card for in-store shopping. Biometrics can authorize in-store purchases, either in conjunction with a payment card, or in the case of using an NFC-enabled digital wallet (Apple Pay, Google Pay), in conjunction with a smartphone in your possession.
ATM banking is another strong use case for biometric, mobile out-of-band authentication. Banking customers today can complete transfers, check their balance, and report a stolen card with a few swipes on a smartphone, regardless of location. But people still need ATMs to get cash, which means account withdrawals and other banking activities must be secure.
That’s why many financial institutions have enabled an intuitive form of multifactor authentication (MFA) known as cardless ATMs. Customers must log into their online banking account while at the kiosk, and then use their mobile device as a physical token by placing it up against an NFC reader.
Cardless ATMs reduce the risk that a lost or stolen card can be used for unauthorized withdrawals. But it’s far more secure and convenient if the initial login is performed using out-of-band biometric authentication like a face scan. It also means that a lost or stolen phone won’t be enough by itself to withdraw cash since the physical face or fingerprint is still needed to authenticate the transaction.
Other banks have begun testing biometric scanners directly on kiosks that use a server-centric architecture. For example, National Australia Bank (NAB) is collaborating with Microsoft to embed biometric authentication into ATMs, according to ZDNet. This method is also a highly secure form of banking authentication, but it’s far more expensive than simply using the existing infrastructure that is a smartphone in every customer’s pocket.
Online banking and customer support
Smartphones can also be used out-of-band to biometrically authenticate browser-based online banking. This allows users who do not have an HD camera or fingerprint sensor on their laptop or desktop computer to biometrically authenticate.
Biometrics are also useful for validating customer-support interactions. During a phone call, an agent can use voice recognition to verify the customer is who they claim to be, or issue an out-of-band biometric authentication challenge to that customer’s smartphone. The same applies for support over chat. A customer can perform a facial-recognition scan during the session to authorize activity; alternatively, keystroke analysis can be used throughout as a form of continuous authentication.
The same logic applies to e-commerce and making online purchases and payments. Touching a fingerprint sensor or looking into a camera to authorize a charge is highly secure, but still convenient enough not to degrade the “one-click” buying experience popularized by big retailers.
Biometric banking: no card, no password, no problem
Contrary to where we began—with security and convenience butting heads—biometrics actually make security more convenient.
Imagine completing a simple fingerprint or face scan with every purchase rather than presenting a card, swiping or inserting, and then authorizing it. Credit card theft at the point of sale would effectively become a non-issue. Pilfered financial and personal data could not be used for banking fraud in the absence of the rightful account holder.
Simply put, biometric authentication is the closest financial institutions have come to an authentication mechanism in which the customer is the password.
Sure, traditional PINs, passwords, and cards will have some role to play in the future of banking security, even in a cardless world, but it will be a supporting one.
Thanks to biometrics and mobile devices, the future of authentication in banking will be far more secure, and much more convenient.