Biometrics secure next generation of mobile banking apps
07 July, 2015
category: Biometrics, Digital ID, Financial
When USAA announced biometrics would soon be used for mobile logins, the company staked its claim as the first U.S. financial institution to offer face and voice recognition for authentication on a mobile app.
The banking and insurance company, which serves military members and their families, has 10.6 million stateside customers. All of them are expected to have access to biometric login capabilities in early 2015 on the company’s iOS and Android apps.
“The problem of account takeover is rampant because of identity theft, and the user ID/password is merely a speed bump in today’s sophisticated threat environment,” says Gary McAlum, USAA’s chief security officer. “Biometrics raises the level of security significantly beyond a user ID and password, but it doesn’t necessarily slow customers down. The login process is actually about the same if not faster.”
The face and voice biometrics are captured during enrollment using the customer’s own mobile device. For facial recognition, users look at the screen and blink when prompted. For voice recognition, users read a short phrase. The addition of biometrics extends the multi-factor authentication options, all of which work in conjunction with a security code generated by the app for each login. Users who try the biometric login and don’t like it can have their data purged from the system within 30 days.
“We’re tackling the same problem that every Internet-based organization is trying to tackle right now, which is how do you protect that first line of defense when you’ve got to authenticate who’s coming in the front door,” McAlum says. “If we have a really high confidence that we can authenticate you using a biometric – maybe you want to transfer money to an external account, maybe you want to conduct a wire transaction – we can pass that enhanced authentication along the line so we’re not going to slow you down later in the process.”
USAA’s customers weren’t eager to adopt two-factor authentication outside of biometrics. “Anything that slows them down is not naturally attractive to them even though it’s more secure than a user ID and password,” McAlum says. “So we took on the challenge to ask, ‘How can we leverage new technologies to raise the level of security but speed up the process? For us, operationalizing the biometric technology does that,” he explains.
USAA members who’ve embraced biometrics so far are choosing facial recognition over voice. The company also introduced a thumbprint option in May. “In today’s threat environment, we just don’t see the common password as viable for the long term,” McAlum adds.
“In today’s threat environment, we just don’t see the common password as viable for the long term.”
Tangerine revolutionizes banking in Canada
As early as the year 2000, Tangerine (then ING Direct) was trying to develop a mouse that contained a fingerprint scanner. It worked but it was a cumbersome user experience, explains Tangerine CIO Charaka Kithulegoda. “Depending on the operating system and other factors, getting it up and running wasn’t easy,” he says.
Last fall the Canadian financial services provider added fingerprint biometrics to its mobile banking app that complements username and password for logins. The bank’s nearly 2 million customers now have the option of using the fingerprint scanner on iPhones that have Touch ID as an additional factor of authentication.
Working with Massachusetts-based software provider Nuance Communications, Tangerine also became the first bank in Canada to offer a voice-controlled mobile app, with voice authentication expected to follow. Customers with devices running iOS 6 and above can now maneuver account information using their voice. Users can check account balances, ask complex questions about expenditures and send instructions to transfer money or pay a bill.
“We’ve always believed that biometrics is a powerful authentication and verification mechanism,” Kithulegoda says. The company says it won’t dump usernames and passwords entirely until users are comfortable with the new technology.