It’s been two months since USAA became the first U.S. financial institution to offer facial and voice recognition security on a mobile app to its millions of online accountholders.
The app exploits capabilities of the iPhone and Android, reaches out to a selfie-obsessed generation of younger customers, and takes the pressure off thumbs fumbling on keypads everywhere.
There’s definitely a cool factor involved. However, the fundamental goal behind USAA’s new app is protecting members’ assets and identities, according to Gary McAlum, chief security officer at USAA.
To me and many security professionals, the traditional user ID and password are increasingly becoming obsolete, McAlum says. We’re getting to the point where that first line of security is not very secure.
Growing Cybersecurity Threats
As cybersecurity threats grow, McAlum adds, online companies of all kinds will be compelled to offer customers new options based on biometric characteristics including facial features, voice patterns, and fingerprints.
All you have to do is look at the Internet environment today, McAlum says. With hackers, criminals, and all of the sophisticated threats out there, it’s not too hard to gain access to an account with a weak password. You use a weak password in one account, it gets compromised, and hackers say, ‘maybe this will work somewhere else.’
Phishing is a problem, McAlum continues. Oftentimes, consumers on the Internet are tricked into giving up their credentials. Malware is rampant. You may think you’re doing everything right but there’s a keystroke logger or a credential stealer on your computer.
Add the continued data breaches of personal information and the wealth of social media data, and the traditional second line of defense a series of personal questions about high schools, mother’s maiden, and favorite pet isn’t so hard to hack.
More Choices, Less Friction
With the USAA app, members get three choices for authentication: traditional user ID and password, facial recognition, or voice recognition. All work in conjunction with a security code generated by the app for each login. This adds two factors of identification.
Financial institutions have been urging their online customers to use strong passwords for years, but most users are happy with weak passwords that, once set, rarely change.
The goal for us is how can we raise the bar on security and not impact the customer experience?
As we looked at this from a consumer perspective, we thought what can we do at USAA to give our members options that are going to be stronger? McAlum says. We can enforce strong passwords 30 characters, uppercase-lowercase but all that does is create member friction. So, the goal for us is how can we raise the bar on security and not impact the customer experience?
USAA’s facial recognition requires users to look at the screen and, when prompted, blink their eyes. It takes roughly the same amount of time to type in a four-digit PIN. For voice recognition, users must read a short phrase. Once logged in, users can perform online transactions, contact the call center, apply for a consumer loan, and more without additional verification.
Following a successful pilot in California, Texas, and Florida, USAA, which provides insurance, banking, and investments to military service members and their families, began making facial and voice recognition available to all stateside members in January. So far, it has enrolled 170,000 people out of approximately 4.1 million mobile app users. In the near future, USAA plans to add Apple’s TouchID fingerprint verification capabilities and then roll out biometric access on desktop PCs.
We’re not fixated on any one method of authentication in terms of biometric options, McAlum says. We realized early on there’s no bulletproof solution.
According to McAlum, oily fingers and different screen coatings can make fingerprint identification clunky, which is one of the reasons USAA launched facial and voice recognition first. McAlum has been using facial recognition for a year now and says it is second nature. Voice authentication takes a bit longer and can still be interrupted by external factors.
We realized early on there’s no bulletproof solution.
Voice is more susceptible to environmental factors like background noise, McAlum says. If you’re sitting in a bus station and you’re trying to authenticate using the pass phrase, you might not be so lucky the first round.
On the other hand, facial recognition focuses on measurements of facial features dictated by bone structure, so when McAlum grew a beard over the holidays, the app still recognized him. It took sunglasses and a hat to completely disguise his identity. In fact, testing on multiple sets of identical twins demonstrated that facial and voice could distinguish between each pair of siblings.
Optical Scanning At Mountain America Credit Union
USAA might have been the first, but credit unions are joining the ranks of financial institutions looking to offer biometric log in options. Mountain America Credit Union ($4.2B, West Jordan, Utah) is piloting fingerprint and optical scanning recognition with a limited testing group but expects to introduce the features to members in the coming month. Optical recognition reads the complex pattern of minute blood vessels in the front of the eye, rather than in the back of the retina.
CU QUICK FACTS
MOUNTAIN AMERICA Credit Union
data as of 12.31.14
- HQ: West Jordan, Utah
- ASSETS: $4.19B
- MEMBERS: 499,996
- BRANCHES: 82
- 12-MO SHARE GROWTH: 10.75%
- 12-MO LOAN GROWTH: 24.93%
- ROA: 1.67%
The market is evolving rapidly, and security as well as convenience is top of mind for our members, says Shelby Peterson, manager of product strategy, online, and mobile services at Mountain America Credit Union. It is not easy to have to type in your credentials every time you’re accessing your banking app. We see more adoption and interest in biometrics as more devices are coming with these capabilities.
Keeping pace with the proliferation of devices is a challenge that online banking managers face. For example, not all devices offer fingerprint authentication. And only smartphones with front-facing cameras work with the optical recognition app. For that reason, Peterson says the credit union plans to offer layered or multi-factor identification.
This allows the user to elect using both the fingerprint and eye scan for that extra authentication, she says. Depending on members’ preferences, they may prefer one technology over the other. They might think one technology is more secure than the other. We want to make sure we offer them the option to choose.
Next: How Secure Is It?
How Secure Is It?
The media has plenty of examples of hackers relishing in ways to defeat biometric recognition software on mobile phones, desktop PCs, and other devices. But new features such as requiring the eyes to blink continue to make it more difficult for hackers. For Mountain America, Peterson says she hasn’t succeeded in fooling the technology.
We’ve tried in every way we can to thwart or fool these technologies from videoing eyes to taking pictures of them to even trying to transfer fingerprints, she says.
Behind the scenes, the system passes encrypted authentication information to secure servers, although the credit union is looking in to technologies to eliminate that transfer.
Most hacking techniques require electronic images, printers, and even molds of the account holder’s face or finger. Last year, hackers demonstrated how they could use an ordinary camera to clone Germany Defense Minister Ursula von der Leyen’s fingerprint and fool Apple’s fingerprint scanner; however, it required high-resolution photos of her finger taken from several different angles.
A piece of cake for TV’s Mission Impossible team, perhaps, but in reality it’s easier for fraudsters to steal PINs or gather enough personal information to reset PINs than it is to re-create a face, voice, or fingerprint.
If you lose your phone and a bad guy gets it and uses the app, three options are going to pop up, McAlum says. Facial? They don’t have your face. Voice? They may try that but it’s really good at authentication, too. Or they can try quick log on and enter a four-digit PIN, and they’ve only got four options before it locks out. I like those odds.
McAlum’s lab at USAA spent two years studying options and chose Daon of Sterling, VA, as a technology partner. The bank focused on developing its mobile app first with funding that was part of its innovation pot. It didn’t have a specific funding stream that dictated a specific investment amount in biometrics.
This incubated in our lab, he says. The technology evolved and matured in a lot of ways. I think there are options out there for other organizations that were not there when we were looking at it. There are a lot more system integrators out there that are a lot more capable.
With technology advances moving at a steady pace, McAlum expects improvements in all types of biometrics in the not-too-distant future. Voice recognition, for example, might be compressed into one or two seconds with a single name instead of a long phrase.
Who’s Using USAA’s Biometric Logon?
- 90% of users prefer facial to voice recognition.
- 51% are older than age 35.
- First-time successful enrollment for facial is 80%.
- A majority of enrollees are men.
Cognitive Fingerprints And Biorhythms
Researchers in both defense and commercial sectors are also exploring new methods of identification that sense organic biometrics, such as how users hold and orient the phone or type on the keypad. According to its website, defense researcher DARPA’s Active Authentication program is focusing on behavioral traits that can be observed through how we interact with the world.
Just as when you touch something with your finger you leave behind a fingerprint, when you interact with technology you do so in a pattern based on how your mind processes information, leaving behind a cognitive fingerprint,’ says DARPA’s Dr. Angelos Keromytis, program manager for information innovation, on the organization’s website.
McAlum expects increasingly popular wearable technology such as FitBits and the new Apple Watches could play a role in authentication in the future.
With the advent of wearable technologies, think about the biorhythms that might be unique to you and me, McAlum says. When get to the level of integration with everyday activities how you gesture, how you type on a keyboard, how you use a mouse, I think the future of this field is fascinating.
Each year, millions of U.S. consumers fall prey to identity theft, which is consistently the leading complaint filed with the Federal Trade Commission.That trend is likely to continue to grow unless financial institutions and their members take steps to reform authentication practices.
How do how we raise the level of security and authentication over all of our channels, not just mobile? McAlum says. All financial institutions, really anybody doing business on Internet, ought to be thinking about how to raise the level of security from the point of entry. Biometrics isn’t the only way to do that, but it’s one way.