More than two decades since a New Yorker cartoon joked that "on the Internet, nobody knows you're a dog," some financial institutions are finally replacing old and not-so-reliable methods of authenticating customers — passwords and security questions — with sophisticated alternatives.
Voice biometrics, fingerprint detection, facial recognition and device ID have graduated from the pilot phase to wider deployment at a handful of FIs.
And more innovative methods, including authentication based on smartphone activity, are being tested in university research labs. If successful, these technologies could deliver the combination of security and convenience that has eluded credit unions and banks in their struggle to verify user identities and keep out impostors without hassling true customers.
The shift to next-gen authentication methods has been made possible by the convergence of several trends. One is the ubiquity of smartphones with high-quality microphones and cameras that make voice and facial recognition easy, and the availability of Apple's Touch ID fingerprint reader on iPhones for finger scanning.
Some credit unions jumped on the biometric bandwagon early. For instance, $914 million Purdue Federal CU in West Lafayette, Ind., deployed fingerprint scanning for identity theft protection in its branches in 2007. And $262 million Service 1st Federal CU in Danville, Pa., started offering biometric fingerprint scanning to members last year.
Meanwhile, a new biometric automated teller machine allows members of Securityplus FCU in Baltimore to conduct transactions via a kiosk equipped with facial recognition biometric software.
"I think this is the future of a member authenticating their person with devises," Securityplus FCU Senior Systems Engineer Mike Adams told Credit Union Journal. "The camera can look at the member and say, 'Yes that is the right person.' "
The $363-million asset CU has been using fingerprint biometric technology with its 100 employees for over a decade as well.
Public awareness of data breaches and fraud issues has made consumers more willing to provide fingerprints, voiceprints and selfies to secure their financial information, say industry experts.
And while financial institutions are driven by the need to make their growing volume of mobile and online transactions secure and convenient, they're also being pushed by a newer, related dynamic: their call centers are swamped with requests from consumers who want to reset lost, stolen or compromised passwords.
One whiz-bang authentication technology is voice recognition.
"Voice recognition has the right combination of characteristics that are unique to the individual," said Dominic Venturo, chief innovation officer at U.S. Bank in Minneapolis. "The voice is easy to use and every mobile phone has the ability to hear a voice." The $404 billion-asset bank has been testing voice biometrics and aims to make it more widely available this year.
According to Opus Research, 41% of all global voice biometrics installations are implemented by financial institutions.
The quality of smartphones' built-in microphones is high enough to achieve accuracy rates above 90%, according to Brett Beranek, director of product strategy for voice biometrics at Nuance Communications.
Fingerprint recognition is another option, one that Apple brought to the forefront recently by including Touch ID on iPhones and making it part of Apple Pay.
Vincent Endres, chief of corporate development at Hoyos Labs, says his company has been "swamped with interest" from banks in his company's facial recognition technology, which it's been testing with "several of the top 10 banks in the world. Some are looking to use this to let internal employees to log on without a password, some are looking at ATM applications," he said. "Private client groups want to get rid of tokens."
FIs want to reduce the burden on help desks to reset passwords and digital banking more convenient to clients, he said.
Analysis of smartphone activity and web behavior is another technology solution. It hasn't been deployed in production yet, but two teams of researchers at universities in the U.S. and India have come up with a method of using the monitoring of consumer activity for authentication.
"Our system in the background collects different digital activities on the customer's smartphone, social media, and web," said Swadhin Pradhan, a professor at the University of Texas at Austin, of his team's ActivPass method. "It than selects activities that are easy to remember and difficult to guess and asks three questions."
For example, ActivPass might ask questions like, whom did you last call? Or what was your first text today?
A CU or bank could use ActivPass to replace or augment its knowledge-based authentication (challenge questions, like "what was the name of your first pet?"). The FI would need to get permission from the user to gather this information during the app installation.
"Questions like what is your date of birth, what is the color of your car, are static and can be easily hacked," Pradhan said. "In social media they can get all this information."
The ability to look across different channels of activity provides greater confidence, Pradhan argues. "If you can look at this kind of distributed activity — social media, smartphone, browsers, the probability [of hackers being able to game the user's identity] will be less," he said.
And further out there is the "natural body identification" PayPal is developing. This is a series of embeddable, injectable and ingestible devices that could replace passwords as a means of identification. The devices may include brain implants, silicon chips embedded into the skin and ingestible devices with batteries powered by stomach acid.
USAA Goes All In
USAA began looking at biometrics in 2008, "but it wasn't mainstream and our members wouldn't have accepted it as much," Royer said.
Earlier this year, the member organization and $67 billion-asset FI became the first to nationally roll out voice and facial recognition for its mobile apps, letting members log in with a spoken phrase or a selfie. About a week ago, the company added Apple Touch ID to the mix, bringing the number of ways members can authenticate themselves at login to four: with their voice, their face, their thumbprint or a PIN.
Behind the curtain, the San Antonio, Texas-based financial institution also uses device ID in its authentication process, so a potential fraudster would have to have the device registered with the account in addition to one of the four pieces of identity required to access her account.
The four options are meant to provide convenience for members and reflect a practical reality: voice recognition doesn't work well in a noisy environment, facial recognition can be faulty in direct sunlight and fingerprints are harder to capture in extremely cold weather.
So far, the fingerprint technology is the most popular. In the week it debuted Touch ID, USAA went from 200,000 biometric signups to 350,000.
USAA uses Nuance's voice recognition technology for authentication and for spoken commands to Nina, the company's Siri-like virtual assistant. The bank partners with Daon for Touch ID and facial recognition.
Marian Raab contributed to this article.