This article described recent adoption of biometric technology by Wells Fargo and Barclays for corporate clients:
“As data breaches, ransomware, and other cybercrimes heighten concerns about the security of doing business on the Internet, some banks are rolling out biometric methods of authentication, methods that rely on some unique physical characteristic of the customer, like a fingerprint.
Wells Fargo customers can now use a scan of the veins in their eye to log onto the mobile version of the bank’s Commercial Electronic Office portal, CEO Mobile. And Barclays is about to launch a device that uses finger vein technology to authenticate customers signing into its treasury portal on a laptop or desktop.
“We do think this is the way forward,” said Shameet Shah, head of digital client security for corporate banking at Barclays. “Within our space, security is paramount. You’re protecting clients’ accounts that have millions of dollars or pounds.”
Bank executives say biometric authentication methods avoid some of the problems that companies encounter with passwords, such as employees forgetting them or sharing them with others, or passwords being exposed by data breaches.
“Passwords and security questions are often compromised through malware or routine social engineering tactics,” Brooke Satti Charles, a financial crime prevention strategist at IBM Security, said in an email. “Add to that general password fatigue, where customers may use the same password in many places, and the potential for misuse escalates quickly.
‘These and many other factors highlight a clear need to improve and implement easier, risk-based, unobtrusive user authentication,’ Satti Charles wrote. ‘Physical biometrics and behavioral biometrics offer just this.’ ”
The problem is that there are many biometrics to choose from. The solutions built into phones don’t satisfy the security needs of banks and others that don’t require new hardware are often not popular with the customer:
“Wells Fargo amped up its back-end efforts to detect fraud and started looking into biometric authentication methods, “knowing that we want to get rid of the password in five years, and biometric is the only way for us to eradicate passwords completely,” she said.
The bank tested one vendor’s face-and-voice authentication method, which worked but wasn’t popular with users. “One thing customers told us was that voice in a self-service setting was less than ideal,” Watson said, noting that customers wanted to multitask but couldn’t do use the voice authentication while they were in noisy environments, like public transit, or sitting in a meeting.
Wells Fargo then partnered with a company that offers the eye vein technology and tested that method. The technology relies on fact that each person has a unique pattern of veins in the white of the eye. During enrollment, the app videos the customer and creates a template of the veins in his or her eye. “Every time the customer comes back to log on to CEO Mobile, we are able to validate them against a template we’ve created when they’ve enrolled,” Watson said.
The eye vein method is “both secure and resonates with customers in terms of how convenient it is,” Watson said.
Wells Fargo plans to roll it out late this year to customers with Apple iPhones and then to those with Android phones. Meanwhile, it will continue testing biometric approaches to authentication, in part because no one method will work for all customers, Watson said. “If you’re sight-impaired, you won’t be able to position your phone to be sure it can see your eye,” she noted.
‘We’re not saying to customers ‘You can no longer use a password and an ID’; we’re still making it a choice,’ Watson said. ‘Right now, there’s just one biometric, and it may not work for everyone.’ ”
So while eventually the mobile phone will become more secure and capable of supporting a level of authentication that banks can rely on, today they can’t and so other approaches must be found that remediate the ever increasing failure of passwords.
Overview by Tim Sloane, VP, Payment Advisory Service at Mercator Advisory Group
Read the full story here