As data breaches, ransomware, and other cybercrimes heighten concerns about the security of doing business on the Internet, some banks are rolling out biometric methods of authentication, methods that rely on some unique physical characteristic of the customer, like a fingerprint.
Wells Fargo customers can now use a scan of the veins in their eye to log onto the mobile version of the bank’s Commercial Electronic Office portal, CEO Mobile. And Barclays is about to launch a device that uses finger vein technology to authenticate customers signing into its treasury portal on a laptop or desktop.
“We do think this is the way forward,” said Shameet Shah, head of digital client security for corporate banking at Barclays. “Within our space, security is paramount. You’re protecting clients’ accounts that have millions of dollars or pounds.”
Bank executives say biometric authentication methods avoid some of the problems that companies encounter with passwords, such as employees forgetting them or sharing them with others, or passwords being exposed by data breaches.
“Passwords and security questions are often compromised through malware or routine social engineering tactics,” Brooke Satti Charles, a financial crime prevention strategist at IBM Security, said in an email. “Add to that general password fatigue, where customers may use the same password in many places, and the potential for misuse escalates quickly.
“These and many other factors highlight a clear need to improve and implement easier, risk-based, unobtrusive user authentication,” Satti Charles wrote. “Physical biometrics and behavioral biometrics offer just this.”
Wells Fargo’s Eye Vein Technology
Wells Fargo traditionally has used multifactor authentication for corporate customers logging onto CEO Mobile. Customers would provide a company ID, user name, and password, and if they were doing a higher-risk transaction, like sending a wire, they would be asked for a second factor, a hard token, and a personal identification number, or PIN, associated with that token.
But a couple of years ago, the bank started questioning the use of passwords, said Secil Watson, head of digital solutions for business at Wells Fargo. It required customers to change their password every six months, but people were having a hard time remembering their passwords and were writing them down.
“The security of the password waned over time,” said Watson, pictured at right.
Wells Fargo amped up its back-end efforts to detect fraud and started looking into biometric authentication methods, “knowing that we want to get rid of the password in five years, and biometric is the only way for us to eradicate passwords completely,” she said.
The bank tested one vendor’s face-and-voice authentication method, which worked but wasn’t popular with users. “One thing customers told us was that voice in a self-service setting was less than ideal,” Watson said, noting that customers wanted to multitask but couldn’t do use the voice authentication while they were in noisy environments, like public transit, or sitting in a meeting.
Wells Fargo then partnered with a company that offers the eye vein technology and tested that method. The technology relies on fact that each person has a unique pattern of veins in the white of the eye. During enrollment, the app videos the customer and creates a template of the veins in his or her eye. “Every time the customer comes back to log on to CEO Mobile, we are able to validate them against a template we’ve created when they’ve enrolled,” Watson said.
The eye vein method is “both secure and resonates with customers in terms of how convenient it is,” Watson said.
Wells Fargo plans to roll it out late this year to customers with Apple iPhones and then to those with Android phones. Meanwhile, it will continue testing biometric approaches to authentication, in part because no one method will work for all customers, Watson said. “If you’re sight-impaired, you won’t be able to position your phone to be sure it can see your eye,” she noted.
“We’re not saying to customers ‘You can no longer use a password and an ID’; we’re still making it a choice,” Watson said. “Right now, there’s just one biometric, and it may not work for everyone.”
She said the eye vein method is definitely more secure than passwords. “It is really hard to steal somebody’s eye vein,” Watson said. “It’s much easier to steal a password, as we’ve seen over and over.”
The method relies not only on the customer’s physical presence, but also on the customer’s possession of the mobile phone the eye vein scan is linked to. “We’re really using the phone as something you have, just as we do in the case of a hard token,” she said. If users lose their phones, they have to re-enroll.
Watson said the bank’s investment in biometrics will pay off by reducing password calls to its call center and making it faster for customers to log on, which will improve the customer experience.
The eye vein method won’t work on desktops or laptops, but she suggested Wells Fargo might eventually use customers’ mobile phones, equipped with a biometric authentication method, as a way to log onto their desktops or laptops.
Barclays’ Finger Vein Scanner
Shah said Barclays started its search for a biometric authentication method by considering its corporate customers. While some might log into the treasury portal just once a day, some users log in and approve 20 to 100 transactions every day, he said. “They don’t want to be putting their face in front of a scanner every time they’re doing that.” Shah noted that it takes only one or two seconds to use the finger vein scanner to log in or approve a payment.
London-based Barclays partnered with Japan’s Hitachi, which owns the technology, to develop the scanner, which relies on each person’s unique pattern of finger veins. Shah noted that finger vein technology is widely used in Japan and surrounding countries.
Users get a scanner (see photo) and a SIM card to go in it. They register two fingers with the device by scanning each finger a few times. The device, which uses near-infrared light to take images of the veins, then consolidates the images of each finger. When users want to log in, they insert a finger in the device, which checks it against the vein card it has stored. (Users register two fingers in case one is injured.) To approve a transaction, like a payment, they insert a finger again.
“We’ve coupled very high technology along with increased usability,” Shah said.
The fact that customers don’t use a password or PIN improves security because users can’t share passwords and hackers can’t steal them. And while people forget passwords, “the user’s not going to forget their finger,” he said, adding that “biometrics is definitely more secure than things like hard tokens.”
Barclays has been doing a “controlled rollout” of the finger vein scanners to 400 corporate customers. The response has been positive, Shah said, and starting next Monday, the bank is going to offer the devices to all 35,000 of its corporate clients.
He said, though, that no single method of protection is enough. “You need several defenses when clients are banking online,” Shah said, and cited multiple layers of security Barclays employs around online transactions, ranging from client education, biometric authentication, the bank’s efforts to detect attacks and malware, and its monitoring for suspicious transactions and ability to put such transactions on hold.
He added that Barclays is working with Hitachi to develop a version of the finger vein reader “that is smaller and more portable and has more security attached,” so that it could be used to log onto a mobile app.
Hard Tokens Still Dominate
A recent survey of U.S. financial institutions from Aite Group shows that Wells Fargo and Barclays are ahead of the curve in their use of biometrics.
When it comes to logging onto treasury portals, more than three-quarters (78%) of the 18 financial institutions surveyed by Aite Group employ multifactor authentication using hard tokens that generate a one-time passcode, while 33% use a phone call providing a one-time passcode. Another 33% use a soft token, a device that generates a one-time passcode like a hard token, but resides on a mobile phone or PC. Just 6% use fingerprints.
But more than half (56%) of the banks said that in the next two years, they plan to add authentication methods for their online treasury management channel.
Linda Coven, a senior analyst at Aite Group, said desktops and laptops “don’t particularly lend themselves to biometrics.” Banks that are considering adding an authentication method for desktops and laptops tend to be adding a soft token, she said. “Rather than having their customer having to carry around 15 of these hard tokens, they’ll use a soft token on a mobile device.”
Coven noted, though, that banks often get pushback from customers when it comes to soft tokens. “Some of them really do like being able to control who in their organization gets the token, and they can do that much more readily with a hard token,” she said.
Biometric methods are more likely to come into play with mobile banking channels, she said. “You can do fingerprint or facial recognition, even iris band—but it’s going to be slower to be adopted because quite frankly the use of mobile for high-risk transactions in the corporate world has been slow to be adopted.”
While tests suggest biometric methods provide adequate security, “it’s not perfect; nothing is,” Coven said.
But she noted that banks are using additional methods to identify customers logging in beyond the initial multifactor authentication. “They may be looking at biometrics like your cadence on the keyboard or the way you look at the system on a regular basis,” she said.
“The only way really to be sure is to have this layered approach,” Coven said. “You can get in the first gate, but when you’re in the first gate, there are other things behind the scene that are validating things, looking at data you have stored to see if what you’re doing seems to be what you’d normally do.”