As data breaches, ransomware, andother cybercrimes heighten concerns about the security of doingbusiness on the Internet, some banks are rolling out biometricmethods of authentication, methods that rely on some uniquephysical characteristic of the customer, like a fingerprint.

Wells Fargo customers can now use a scan of the veins in theireye to log onto the mobile version of the bank's CommercialElectronic Office portal, CEO Mobile. And Barclays is about tolaunch a device that uses finger vein technology to authenticatecustomers signing into its treasury portal on a laptop ordesktop.

“We do think this is the way forward,” said Shameet Shah, headof digital client security for corporate banking at Barclays.“Within our space, security is paramount. You're protectingclients' accounts that have millions of dollars or pounds.”

Bank executives say biometric authentication methods avoid someof the problems that companies encounter with passwords, such asemployees forgetting them or sharing them with others, or passwordsbeing exposed by data breaches.

“Passwords and security questions are often compromised throughmalware or routine social engineering tactics,” Brooke SattiCharles, a financial crime prevention strategist at IBM Security,said in an email. “Add to that general password fatigue, wherecustomers may use the same password in many places, and thepotential for misuse escalates quickly.

“These and many other factors highlight a clear need to improveand implement easier, risk-based, unobtrusive user authentication,”Satti Charles wrote. “Physical biometrics and behavioral biometricsoffer just this.”

|

Wells Fargo's Eye Vein Technology

Wells Fargo traditionally has used multifactor authenticationfor corporate customers logging onto CEO Mobile. Customers wouldprovide a company ID, user name, and password, and if they weredoing a higher-risk transaction, like sending a wire, they would beasked for a second factor, a hard token, and a personalidentification number, or PIN, associated with that token.

But a couple of years ago, thebank started questioning the use of passwords, said SecilWatson, head of digital solutions for business at Wells Fargo.It required customers to change their password every six months,but people were having a hard time remembering their passwords andwere writing them down.

“The security of the password waned over time,” said Watson,pictured at right.

Wells Fargo amped up its back-end efforts to detect fraud andstarted looking into biometric authentication methods, “knowingthat we want to get rid of the password in five years, andbiometric is the only way for us to eradicate passwordscompletely,” she said.

The bank tested one vendor's face-and-voice authenticationmethod, which worked but wasn't popular with users. “One thingcustomers told us was that voice in a self-service setting was lessthan ideal,” Watson said, noting that customers wanted to multitaskbut couldn't do use the voice authentication while they were innoisy environments, like public transit, or sitting in ameeting.

Wells Fargo then partnered with a company that offers the eyevein technology and tested that method. The technology relies onfact that each person has a unique pattern of veins in the white ofthe eye. During enrollment, the app videos the customer and createsa template of the veins in his or her eye. “Every time the customercomes back to log on to CEO Mobile, we are able to validate themagainst a template we've created when they've enrolled,” Watsonsaid.

The eye vein method is “both secure and resonates with customersin terms of how convenient it is,” Watson said.

Wells Fargo plans to roll it out late this year to customerswith Apple iPhones and then to those with Android phones.Meanwhile, it will continue testing biometric approaches toauthentication, in part because no one method will work for allcustomers, Watson said. “If you're sight-impaired, you won't beable to position your phone to be sure it can see your eye,” shenoted.

“We're not saying to customers 'You can no longer use a passwordand an ID'; we're still making it a choice,” Watson said. “Rightnow, there's just one biometric, and it may not work foreveryone.”

She said the eye vein method is definitely more secure thanpasswords. “It is really hard to steal somebody's eye vein,” Watsonsaid. “It's much easier to steal a password, as we've seen over andover.”

The method relies not only on the customer's physical presence,but also on the customer's possession of the mobile phone the eyevein scan is linked to. “We're really using the phone as somethingyou have, just as we do in the case of a hard token,” she said. Ifusers lose their phones, they have to re-enroll.

Watson said the bank's investment in biometrics will pay off byreducing password calls to its call center and making it faster forcustomers to log on, which will improve the customerexperience.

The eye vein method won't work on desktops or laptops, but shesuggested Wells Fargo might eventually use customers' mobilephones, equipped with a biometric authentication method, as a wayto log onto their desktops or laptops.

|

Barclays' Finger Vein Scanner

Shah said Barclays started itssearch for a biometric authentication method by considering itscorporate customers. While some might log into the treasury portaljust once a day, some users log in and approve 20 to 100transactions every day, he said. “They don't want to be puttingtheir face in front of a scanner every time they're doing that.”Shah noted that it takes only one or two seconds to use thefinger vein scanner to log in or approve a payment.

London-based Barclays partnered with Japan's Hitachi, which ownsthe technology, to develop the scanner, which relies on eachperson's unique pattern of finger veins. Shah noted that fingervein technology is widely used in Japan and surroundingcountries.

Users get a scanner (see photo) and a SIM card to go in it. Theyregister two fingers with the device by scanning each finger a fewtimes. The device, which uses near-infrared light to take images ofthe veins, then consolidates the images of each finger. When userswant to log in, they insert a finger in the device, which checks itagainst the vein card it has stored. (Users register two fingers incase one is injured.) To approve a transaction, like a payment,they insert a finger again.

“We've coupled very high technology along with increasedusability,” Shah said.

The fact that customers don't use a password or PIN improvessecurity because users can't share passwords and hackers can'tsteal them. And while people forget passwords, “the user's notgoing to forget their finger,” he said, adding that “biometrics isdefinitely more secure than things like hard tokens.”

Barclays has been doing a “controlled rollout” of the fingervein scanners to 400 corporate customers. The response has beenpositive, Shah said, and starting next Monday, the bank is going tooffer the devices to all 35,000 of its corporate clients.

He said, though, that no single method of protection is enough.“You need several defenses when clients are banking online,” Shahsaid, and cited multiple layers of security Barclays employs aroundonline transactions, ranging from client education, biometricauthentication, the bank's efforts to detect attacks and malware,and its monitoring for suspicious transactions and ability to putsuch transactions on hold.

He added that Barclays is working with Hitachi to develop aversion of the finger vein reader “that is smaller and moreportable and has more security attached,” so that it could be usedto log onto a mobile app.

|

Hard Tokens Still Dominate

A recent survey of U.S. financial institutions from Aite Groupshows that Wells Fargo and Barclays are ahead of the curve in theiruse of biometrics.

When it comes to logging onto treasury portals, more thanthree-quarters (78%) of the 18 financial institutions surveyed byAite Group employ multifactor authentication using hard tokens thatgenerate a one-time passcode, while 33% use a phone call providinga one-time passcode. Another 33% use a soft token, a device thatgenerates a one-time passcode like a hard token, but resides on amobile phone or PC. Just 6% use fingerprints.

But more than half (56%) of the banks said that in the next twoyears, they plan to add authentication methods for their onlinetreasury management channel.

Linda Coven, a senior analyst at Aite Group, said desktops andlaptops “don't particularly lend themselves to biometrics.” Banksthat are considering adding an authentication method for desktopsand laptops tend to be adding a soft token, she said. “Rather thanhaving their customer having to carry around 15 of these hardtokens, they'll use a soft token on a mobile device.”

Coven noted, though, that banks often get pushback fromcustomers when it comes to soft tokens. “Some of them really dolike being able to control who in their organization gets thetoken, and they can do that much more readily with a hard token,”she said.

Biometric methods are more likely to come into play with mobilebanking channels, she said. “You can do fingerprint or facialrecognition, even iris band—but it's going to be slower to beadopted because quite frankly the use of mobile for high-risktransactions in the corporate world has been slow to beadopted.”

While tests suggest biometric methods provide adequate security,“it's not perfect; nothing is,” Coven said.

But she noted that banks are using additional methods toidentify customers logging in beyond the initial multifactorauthentication. “They may be looking at biometrics like yourcadence on the keyboard or the way you look at the system on aregular basis,” she said.

“The only way really to be sure is to have this layeredapproach,” Coven said. “You can get in the first gate, but whenyou're in the first gate, there are other things behind the scenethat are validating things, looking at data you have stored to seeif what you're doing seems to be what you'd normally do.”