Abolish the password? Card issuers are working on that

Fingerprint, voice, iris and multifactor identification are being rolled out

By  |  Published: July 18, 2017

Susan Johnston Taylor
Personal Finance Writer
Writes about credit card technology and savvy card use

Banks, credit card issuers move to abolish the password

Fingerprints, voice recognition, iris scans and selfies – these are just some of the ways banks and card issuers are increasing account security beyond the age-old password.

In fact, a handful of banks aim to phase out passwords altogether over the next few years with the help of biometric authentication. In 2004, Bill Gates predicted that passwords would be replaced by other technology. In 2017, that appears to be starting to happen.

With identification tools like these, who needs passwords?

 

Video: Digital fingerprints can be hacked, too

Fingerprint identification
Bank of America and Wells Fargo are among a growing number of U.S. banks using fingerprint verification, and in April 2017, Mastercard unveiled a credit card with fingerprint authentication that it’s been testing at stores in South Africa.

Wells Fargo introduced Touch ID for its iOS mobile banking app about a year ago and began rolling out fingerprint sign-in for Android this spring. Bank of America has offered fingerprint sign-in for mobile banking customers on iOS and Android since 2015.

Both banks say about a third of mobile banking customers have enabled fingerprint identification, which may be attributed at least in part to the fact that many smartphone users are already comfortable using a touch to unlock their phone.

In the Mastercard fingerprint authentication test, which follows a rollout in Europe of selfies for cardholder identification, a cardholder’s fingerprint is converted to an encrypted digital template that’s stored on the card.

How it works: When paying in stores, a customer with a biometric card places his or her finger on the embedded sensor. The fingerprint is compared to the template. If the biometrics match, the cardholder’s purchase is authenticated.

For customers, the card never leaves his or her hand, and a future version of the Mastercard will include contactless technology to speed checkout. For issuers, Mastercard says the technology helps detect and prevent fraud and reduces operational costs (the biometric card works with existing EMV card terminals).

Voice verification
At Wells Fargo, in addition to fingerprints, voice verification helps to streamline calls to customer service.

“Every meaningful customer interaction starts with authentication,” says Adam Vancini, head of operations for Wells Fargo virtual channels. “The core things we focus on is making it simple for the customer and secure for the customer.” (Bank of America has done voice biometrics pilots.)

“Over the next couple of years, we will also allow customers to self-select something other than password authorization for their login.”

Voice verification (in which a customer says “My voice is my password; please verify me”) not only prevents criminals from impersonating bank customers, but it also helps customers get the answers they need more quickly.

Voice verification is not foolproof, though. In May, a BBC reporter and his twin managed to fool HSBC’s Voice ID authentication service. It took eight attempts by the reporter to mimic his brother’s voice to pass the security check, though. Once he passed the voice test, the reporter was able to review recent transactions, check his brother’s balance and move money between accounts.

Security experts say any biometric system can be hacked, but fingerprints, voice prints, iris scans and other personal characteristics are harder to crack than a password.

Eyeprints
Another recent development at Wells Fargo: eye prints to authenticate commercial banking customers on the mobile app. Using Eyeprint ID software, the camera phone takes an image of the user’s eye, converts veins and other details into digital code and matches it against the code on file.

“We’re waiting to see how the adoption of that works and how comfortable customers get with that,” Vancini says.

The end of the password?
Using a variety of methods, Wells Fargo has an “aspirational goal of eradicating passwords” and personal details like one’s Social Security number or debit card number or account number to access accounts, Vancini says.

U.S. Bank has a similar goal of 86-ing the password. Over the next few years, its online banking and mobile customers will get higher-tech options for verification.

“We will have a customer control panel in mobile banking this year that will allow customers to choose something other than challenge questions as their step-up authentication,” Jason Witty, chief information security officer at the bank, said in an emailed statement.

“We found this is a secure way, probably even more than a password, to gain access to your accounts because of your fingerprint being unique to you. It’s not something someone can phish.”

“Over the next couple of years, we will also allow them to self-select something other than password authorization for their login,” He said. Facial recognition is one option U.S. Bank is exploring.

It’s no surprise bank customers want to ditch the password. A 2016 survey by Gigya found that more than half (52 percent) of the 4,000 consumers surveyed in the U.S. and U.K. would choose anything but the typical username and password for account registration if presented with other options.

Bank of America’s Hari Gopalkrishnan, managing director, client facing platforms technology, says the use of fingerprint verification grew out of customer requests for a fast, frictionless way to check their balances or make payments on the app.

“Customers no longer want to come to our website once a month,” he says. “They want to check 10, 15 times a day.”

Then as customers transition from the mobile app to calling customer support, “we authenticate you seamlessly,” Gopalkrishnan adds. “The first question isn’t ‘who are you and what’s your mother’s maiden name?’”

In addition to verifying customers’ identities through fingerprint scans, Gopalkrishnan says the bank also has technology working on the back-end to understand who is holding the device, if it might be stolen or jailbroken or if the app identifies a login from a new place. 

 

Video: Payment biometrics go beyond mobile fingerprint scanners

Two-factor and multi-factor authentication
The rollout of biometrics by banks and card issuers ties into a broader push toward two-factor authentication or multi-factor authentication, which requires two items such as a piece of knowledge (a password or PIN), a physical object such as a credit card or unique identifier such as an iris scan or fingerprint. In other words, something you know, something you have or something you are.

In New York state, new cybersecurity laws that went into effect March 1, 2017, require banks, insurance companies and other financial institutions that are regulated by the New York Department of Financial Services use multi-factor authentication to guard against unauthorized access.

Quontic Bank, which operates in Florida, Indiana, Virginia and New York, is implementing fingerprint identification for users of its iOS banking app. The bank began working on this transition last August, long before the New York state cybersecurity regulation took effect.

“We found this is a secure way, probably even more than a password, to gain access to your accounts because of your fingerprint being unique to you,” says Drew Sandholm, marketing director for Quontic Bank. “It’s not something someone can phish. We’re really excited about the possibility of getting into biometric identification via your retina.”

Exciting indeed. The biometrics identification possibilities – the James Bond-esque tools and devices that Bill Gates predicted would be the death of the password over a decade ago – are becoming the norm at big banks, and even smaller ones like Quontic.

For banks and credit card issuers, the challenge, as they roll out new biometrics features, is ensuring customer convenience and security. “Security always wins, but we think we can do a good job of balancing the two,” says Bank of America’s Gopalkrishnan.

See related: Credit card companies may be analyzing your voiceIf we go to biometric IDs, will hackers try to steal your face?


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Updated: 10-24-2017

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


ADVERTISEMENT