The Death of the Password

2014 saw the introduction of payments being authenticated by fingerprint sensors with platforms such as Apple Pay and this emergence caused biometrics to catapult into the banking industry. Madhvi Mavadiya explores how traditional banks have transformed their systems for consumers and corporates to suit the growing hunger for convenience, security and digitalisation.


It can be questioned to what extent the depletion of the usage of passwords will affect banks as newer, simpler, technologies have come to the surface. More and more consumers will be able to use modalities, such as fingerprint sensors, voice recognition, iris scanners and palm vein readers to make payments, because of the lack of risk involved in using biological data. Conor White, president, Americas, at biometrics and identity assurance software company Daon, believes that this form of technology will help the industry to move away from defining a person by their password. “If you’re authenticating a person and not something that represents a person like a token or a password, then it can remove most of the issues that we have with online commerce today,” White explained. Bob Reany, senior vice president of global products and services of identity solutions at MasterCard has a similar attitude to this issue. “Identity solutions and understanding who a consumer is, is a really important part of business, not just to resolve fraud, but also for approval rates. A real focus for us is helping our banks understand who consumers are and biometrics is one of the layers that we use,” Reany said.

A convenient way of banking has already been provided to consumers with the arrival of the internet and mobile phone transactions; but with biometric authentication and the replacement of security questions, it could mean that risk is eliminated. For example, Barclays launched their new online banking hub iPortal late last year, which helps corporate customers have direct access to services that the bank provides with the use of the Barclays Biometric Reader. Getting rid of older technology seemed to be the top priority for Barclays’s head of cash management, Michael Mueller, who highlighted that this was the right direction to move forward in. “Traditionally online banking systems have not always made life easy for businesses. Corporate banking solutions that bridge existing products produce disparate, complex and outdated systems that require multiple logins on a variety of platforms, making banking a time-consuming and disjointed process,” Mueller mentioned at the time iPortal was launched. With the use of Hitachi’s Finger Vein Technology (VeinID), which scans the user’s finger blood flow to confirm transactions, iPortal has the potential to present an overview of group balances across different business divisions in multiple countries, and therefore, revolutionise the worldwide economy.


Memory is a thing of the past

Barclays Wealth and Investment Management believe that memory is a thing of the past and voice biometric technology should be taken advantage of, such as FreeSpeech from Nuance Communications. This system operates by checking a customer’s voice and comparing it to the “voiceprints” that have been stored to authenticate the payment in 20 seconds. Bob Graham, senior vice president and head of banking and financial services at IT consultancy Virtusa, explains that we are only at the beginning stages of how financial institutions can use biometrics and are looking at the start of the decline of using passwords for authentication. “The next wave of biometrics in banking will focus on using voice as an authentication mechanism. Not only will we use this on mobile devices but we will also see it in call centre areas where users will be able to be identified and authenticated from their voice imprint rather than inputting or responding to a series of security questions,” Graham said.

On the subject of the diminishing password, Graham responded to the situation by mentioning that the “elements of what your password can contain and how frequently it must be changed have grown dramatically and this has led to significantly increased pain and friction with customers.”


Wells Fargo are another bank that have utilised biometric technology to renew the way we bank using voice recognition, but in combination with facial recognition to, in turn, create a more efficient mobile banking security system. After working with SpeechPro, a global leader in biometrics, to develop their mobile banking application CEO Mobile, they were able to eradicate the tedious transaction process of entering a user ID, password, unique security token or PIN number. Secil Watson, head of wholesale internet solutions at Wells Fargo, highlights how when this mobile app was piloted, the bank combined biometric markers, in order to result in a confident assessment of the customer. Through this research, it was revealed that customers wanted choice, so a new biometric solution is set to be launched next year which operates by taking a video of a customer’s eye and will read the red vein and white part of the eye to authorise payments. Watson said that this solution will be well received because it is quicker than the selfie style voice biometric technology that provide at the moment. “Feedback from customers revealed that in very loud situations, voice authentication failed on some occasions,” Watson said. She continued to comment on biometrics as an alternative to passwords and how data breaches have contributed to vulnerability and insecurity at banks. “We realise that passwords have been around for more than 15 years but they have also been hacked quite often because they are not changed as frequently as they should be. But, as the hardware technology evolves and there are better cameras, better microphones and better touch sensors, biometric technology will also evolve,” Watson said.



All in vein

In 2009, it was announced that biometrics leader Sagem Sécurité (Safran group) had partnered with Hitachi to unveil the first ever multi-modal finger vein and fingerprint device called Finger VP. In this device, Hitachi’s VeinID finger vein imaging which detects the blood vessels under the skin is combined with Safran’s fingerprint identification technology called Morpho. At the time, this was the only multi-modal device that was capable of processing two sets of biometric data at the same time and could be used for one to one or one to many verification. Chairman and CEO of Sagem Sécurité, Jean-Paul Jainsky believes that with Finger VP, biometrics will open up new opportunities for identification systems. “By combining Finger Vein Authentication with fingerprint analysis, security has never reached such a high level,” Jainsky commented.

This questions whether multi-modality when using biometric authentication increases security and in a recent whitepaper, “Implementing a Mobile Biometric Authentication Solution” published by Daon, this is explored. “You don’t want to have to rely on one single biometric factor, such as voice recognition or fingerprint. The partner you select should have experience in and support voice, face, and fingerprint authentication on a single platform. Rolling out a biometric authentication program is complicated enough without having to engage multiple companies, each supporting a single factor,” the whitepaper explored. Daon’s system IdentityX has been implemented by financial services company USAA and a million users have signed up for the biometric login system since integration at the start of 2015. A case study which explains the partnership between Daon and USAA presents that although biometric identification had not yet gained traction in the financial sector, the bank realised how IdentityX’s facial authentication with liveness, voice recognition and PIN verification would bring them success. “The triumvirate of face, voice and PIN options allows members to select their desired means of identity verification based on the circumstances at the moment,” the case study said.


Security will always be an issue

Regardless of multi-modality solutions, security is always going to be an issue, but it is important to bear in mind the False Match Rate (FMR) and False Non-Match Rate (FNMR) when implementing any biometric authentication application. Daon’s whitepaper explains how FMR is the rate that measures how easy it is for someone to impersonate you, while the FNMR is the rate that measures how easy it is for you to successfully authenticate yourself. Alongside this, MasterCard also keep security as their top priority, as Reany explains. “The big difference between data and the biometric business model is that there is no massive database full of fingerprints, it’s all on your device and it’s your device. The bad guys would have to break into your house, steal your phone and learn your buying behaviours, so it’s not just the biometric technology, it’s biometric and other layers that keep it secure,” Reany said. MasterCard have also launched a new program that intends to turn customer products, in the automotive, fashion and wearables industries, into payments devices. The Commerce for Every Device program includes companies like Bluetooth locator TrackR, smart jewellery company Ringly and Nymi.

London street people

Nymi, the creator of the Nymi band which is a wristband capable of monitoring cardiac rhythms, provides continuous authentication through the heartbeat of the wearer; security is confirmed here as cardiac rhythm is unique to each person. It has been reported that the Nymi Band’s HeartID technology was used with NFC technology to process a MasterCard payment on a contactless payment terminal, so it could become an effective form of payment. Peter O’Neill, CEO and President of FindBiometrics, explores how because of past data breaches and because the password is a useless way of identifying someone, it is important to include privacy professionals in the discussion. “Within two years, the password will be pretty much dead, but the work that the FIDO Alliance is doing will make biometrics seamless and it will be more secure than it is right now. BYOI (Bring Your Own Identity) will play a big factor,” O’Neill states.

The FIDO Alliance was formed in 2012 in order to ensure that strong authentication was carried across all devices and address the problem that people were forgetting usernames and passwords. With this new standard, browser plugins and security devices will let websites and cloud applications be interfaced with all FIDO-enabled devices. PC operating system Windows 10, which became available last year, features a biometric security platform named Windows Hello, which allows for multi-modal user authentication. This system does comply with FIDO Alliance requirements and provides evidence for the growing demand and convenience of use for this form of technology.

When it comes to whether or not biometrics will kill passwords off, it’s not a question of if, but when.



Introducing: Payments {R}evolution Magazine

The article above is part of our special edition Payments {R}evolution Magazine. For more content like that, just choose an article from below that interests and enjoy the magazine for FREE!


Related reading

Leave a comment

Comments RSS TrackBack 1 comment