Are you a technophile who likes signing in to your banking app with a fingerprint? Or does it make you cringe?
Get ready for more, because banks are now capturing not just fingerprints but scans of your voice, eye and face.
Biometrics provide a layer of security beyond passwords, which are looking increasingly feeble against sophisticated hackers. Consumers’ tendency to fall back on lazy ones — like “123456” and “password” — makes them even less effective. The financial industry is rushing to invest in security at a time when cybercrime costs the global economy an estimated $450 billion a year, according to the Center for Strategic and International Studies, a Washington, D.C., think tank.
If it hasn’t already, your bank may soon offer you the chance to use biometrics to protect your accounts. That could mean fingerprint authentication on banking apps, voiceprints for customer calls, facial recognition for verifying online purchases, or ATMs that scan your iris. Here is what's already available and what's on the horizon.
“Fingerprint ID was the No. 1 requested feature from mobile users before we introduced it,” says Betty Riess, a Bank of America spokeswoman. Since September, its customers have been able to save their fingerprints on iPhones, iPads or Android devices then use them to access their mobile accounts without pass codes.
Fingerprints are unique identifiers, but don’t be lulled into thinking they’re foolproof. There’s actually plenty of room for security breaches due to human behavior. Many smartphones let you store not just one but several fingerprints, in case you want to sign in with a different finger or let a family member or friend have access to your phone. But once someone else’s fingerprint can unlock your device, that person can also access your banking app.
Possibly the most annoying part of calling a bank is punching in your long account number or having to answer tedious security questions about your mother’s maiden name or the name of your first pet. While banks need to make sure you are you, verifying your identity is no one’s idea of fun.
What if your bank just recognized your voice? Several large banks are testing voice authentication. Citi said it had registered roughly 250,000 customers’ voiceprints by late last year. The process takes less than a minute to set up, the bank says. As soon as you start talking, your voice is matched against the stored data, comparing 130 characteristics of your vocal pattern within a few seconds. That sounds painless.
At the forefront of biometrics is USAA, which serves members of the military and their families; it was the first large institution to roll out three different biometrics — fingerprint, voice and facial recognition — to all customers. Those who opt in enroll through their phone or tablet. For example, for voice authentication, they train the system to recognize them by reading three sample phrases.
Since late 2014, over 1.4 million USAA customers have signed up for some form of biometric identification. “Single-factor logins (password only) represent about 10% of our logins from mobile devices,” says Wil Bennett, USAA assistant vice president of financial crimes analytics.
For face recognition, USAA customers use their smartphone cameras to record their faces, including a blink. The blink proves that the image is live, and not someone trying to trick the system with a photo.
USAA customers can use whichever biometric is more convenient for them at the moment. If you’re in a noisy restaurant, you might choose facial recognition or fingerprint, for example. If it’s dark, you could use voice.
Meanwhile, MasterCard is piloting “selfie-pay” — using a face scan to approve online purchases — in parts of the U.S. and the Netherlands. It will be rolled out in 14 countries this summer, the company has said. When making an online purchase with the MasterCard phone app, a pop-up asks whether you want to authorize the transaction with fingerprint or face recognition. If you choose to use your face, you look at your camera and blink once to prove you’re not a picture. The company says that it doesn’t store your actual picture, just a coded version of it.
ATMs with iris scanners
If a face scan sounds uncomfortably intimate, what about an eye scan?
When taking out cash, you won’t need a plastic card with a magnetic stripe — that’s a nearly 50-year-old technology, by the way — if you’re at a next-generation ATM with an iris scanner. Diebold and Citibank tested such an ATM in New York last fall. No two humans’ irises are alike, so a scan of the eye is a very accurate way to verify identity.
The prototype doesn’t have a number pad or a screen like a traditional ATM. To make a withdrawal, you first set up the transaction on your mobile app, entering the dollar amount. When you reach the ATM later, you place your eye near the iris scanner, which takes a quick video and matches it to the initial scan you previously registered with the system. If it’s a match, the machine dispenses the cash.
The company says the technology can’t be tricked with a picture or a video — or even a disembodied eyeball. “Iris-scanning technology is the second-most reliable biometric next to a DNA test and validates that the person ... is alive with the use of infrared light,” says Dave Kuchenski, a senior business development manager at Diebold. Diebold is currently planning additional pilots with other financial institutions.
Kuchenski says among consumers who tried it, most said they liked it, but “a small segment ... were hesitant to register their iris definition due to concerns about ‘big brother’ privacy.”
If biometrics become common at retail banks, it might become the new normal for customers to have to keep tabs on who has their fingerprints and other identifying features, just as they do with their Social Security and PINs now.