Has password fatigue already set in? Is Biometrics the answer to this problem?
Banking services today have come a long way from say 25 years back, when visiting branches were the only way for customers to access their monies, or make any financial transactions. In the digital world today, the average banking customer has never visited the branch for day-to-day financial transactions. One can access his/her banking account/s via multiple digital touch points like web, mobile, ATMs, etc., which in turn has made life much more comfortable.
But with consumers turning to digital for almost every product or service, all the way from banking transactions, making investments, paying utility bills to something as basic as purchasing daily essentials, the number of passwords that one has to remember to access all these portals becomes a nightmare. The consumers end up with something called “password fatigue”, due to which they prefer using the same passwords over and over again thereby increasing the vulnerability of their accounts to cyber criminals. A study by Telesign says that about 54% of customers use five or fewer passwords across their entire online life, while 22 percent use just three or fewer. Almost 47% of customers rely on a password that has not been changed for five years!!” Certain customers have also been found to write down passwords, which all amounts to compromise on security.
But all said and done, one cannot expect consumers to maintain unique complex passwords for each of their online account, and remember them as well. At a time when it is being predicted that every person will have at least 200 online accounts by 2020, which means to say that if password security requirements are to be followed diligently, every customer should be remembering 200 unique passwords which is humanly impossible, unless one has the brains of a supercomputer!! Specifically talking about financial transactions, which are more susceptible to frauds and syphoning of funds, the password security requirements tend to be more stringent, in order to ward off any unwanted nightmares for the customers and banks alike. With the increasing processing power of computers today, password hacking has become easier, and when coupled with social media, finding vital personal information of an individual is not that difficult anymore. An article by Deloitte University press has compiled beautifully, as to why passwords have been problematic:
Biometrics – a suitable alternative for cumbersome passwords
Biometrics technology has come in as a welcome password alternative for banks grappling with the issue of simplifying customer experience while still ensuring security of their customer data and funds. The technology is seeing a slow yet steady adoption rate for authenticating customer identity before one can access any of their secure financial accounts.
The main idea behind biometric authentication is that certain intrinsic characters are very unique to any individual, easier to use and fairly difficult to replicate, thereby can be a strong alternative against cumbersome passwords. Biometric samples includes a wide range, all the way from DNA, fingerprints, vein patterns, iris, voice, facial expressions, gesture patterns and speed.
According to the Gartner Hype Cycle for Digital Banking Transformation 2016 biometric mobile banking authentication is maturing quickly as a mainstream customer-facing technology, and will bring in a significant shift in the way banks interact with their customers. The increased adoption of fingerprint-based authentication, for example in Apple Pay, Samsung Pay and Android Pay, the voice-based artificial intelligence by Apple’s SIRI, and many such innovations have encouraged banks to adopt this technology into customer authentication. A lot of leading banks have already implemented and made significant headway with biometric authentication for their customers. Bank of America, Wells Fargo and JP Morgan Chase, for example, use the fingerprint scanner to authenticate customers logging in to their mobile banking apps. Whereas, RBS and NatWest were the first banks in the UK to offer their customers with the option to login to their mobile banking app using fingerprint scanning.
While the fingerprint scanning as a biometric authentication method has been the most widely used form, questions have been raised about the possibilities of cyber criminals getting access to the fingerprint samples of the customers. There have been cases where professional hackers have managed to break through fingerprint authentication modes, like German hacker Starbug aka Jan Krissler, who hacked the Apple’s touch ID, roughly after a day post its launch.
Many banks are therefore exploring other modes of biometric authentication as well as 2-factor authentication methods. Barclays, for example, has leveraged Hitachi’s Vein ID technology to secure and simplify authentication for its corporate customers. The Vein ID technology is based on the fact that vein patterns (sclera) are unique to an individual and can be authenticated by placing a finger on a desktop scanner that reads the vein patterns. This technology has also been adopted by ATM’s across Japan and Poland. Wells Fargo has released the iris scan authentication using mobile for some of its corporate customers. The bank is also working with EyeVerify, to develop an authentication around scanning the eyes of the customer for a map of the veins on the white of the eye. Citibank received two Gartner Financial Services Cool Business Awards in 2015 for its agent-based voice biometrics authentication project. USAA, which pioneered the facial recognition technology in the year 2015, authenticates customers through their facial contours; and also offers voice and fingerprint recognition options. USAA further adds a second-level check with device recognition – i.e., biometric authentications are accepted only if entered from a device registered with the bank.
Banks are further building up the security factor by extending the 2-factor authentication beyond biometrics, to ensure trustworthiness of a transaction. For example, they are also leveraging artificial intelligence to keep track of parameters like habitual geolocations of the customers logging in, so that there is an extra check performed against forged entry attempts. Some of them are also using gesture patterns as passwords for second-level authentication, for example, the speed at which a particular customer blinks his/her eyes.
Gartner strongly recommends using multimodal biometric method to improve either accessibility or trust and accountability; and predicts that by end of 2019, “80% of organizations using biometric methods will use some combination of face, voice and passive behavioral modes, in preference to fingerprint, up from less than 5% today”. The potential of biometric authentication methods, though, other than fingerprint scanning, have not been fully realized yet, more so because of the dependence on other parameters for them to be implemented successfully. For example, the iris scan and facial recognition authentication methods require infrared cameras on the devices, which might not be necessarily embedded in the existing devices. They now come integrated within the endpoint devices, but a larger widespread adoption might require a hardware refresh at a significant scale.
All said and done, biometric authentication for banking is here to stay, and banks that do not get on the bandwagon may run a high risk of being perceived as laggards. Leaders who have implemented it already, are already impressing their customers with the ease with which they can access banking services, yet not be scared about security of their personal information. For example, since USAA began offering biometric authentication early last year, more than 1.7 million customers have been accessing their accounts using either their fingerprints, voices or facial scans.
If not already implemented, the time is now. It is a wakeup call!!