The end of passwords? Banks go big on biometrics

By : Dena Hamilton

May 17, 2016 01:00 PM

In payments, MasterCard and Visa have been leading the charge to end consumers' reliance on passwords. The card giants are in the process of ditching their online password systems in favor of biometrics in the interests of making e-commerce more secure.


While the payments industry has led the way, it looks very much like the wider retail banking sector is hot on its heels.


HSBC has announced it will roll out voice and fingerprint recognition security services for its customers in the UK. The services include the bank’s online-only First Direct brand and its main HSBC high street accounts. Francesca 

McDonagh, HSBC UK's head of retail banking and wealth management, said: "The launch of voice and touch ID makes it even quicker and easier for customers to access their bank account, using the most secure form of password technology - the body."


HSBC is not the first bank by any means, but it’s one of the biggest to go down this route. As Europe’s largest bank, it’s bringing biometric logins to 15 million customers and the rollout is by far the largest of its kind in the UK.


Barclays has been trialling voice recognition with its 300,000 wealthiest clients since 2013 and is planning a full launch for its 12 million retail customers this year. Lloyds is looking at using Amazon Echo, a hands-free device that lets people log in using only their voice. Santander has just launched the first phase of its 'voice banking' technology.


Challenger bank Atom announced biometric logins late last year, while in the US, Citi has around 250,000 customers logging in via voice recognition.


Digital Insight, an NCR company, recently introduced Android Fingerprint ID to its mobile banking app, to allow mobile banking users to use their fingerprints to authenticate their identities to log in on Android devices. For community banks and credit unions, the fingerprint authentication functionality will help reduce the costs associated with password resets, lockouts and call center inquiries, while giving end users a secure, fast and easy way to access their accounts via their smartphones and tablets.


It’s important to note that in these examples, biometrics are not acting alone - they form part of a layered security approach.


Gary McAlum, chief security officer at USAA, which is offering facial and voice recognition security, commented: “The use of multifactor authentication through biometrics is one of the most effective ways to increase security protection as traditional passwords become increasingly obsolete.”


And this goes to the heart of the discussion around whether reports of the death of the password have been greatly exaggerated.


Password protected?


Whether we’re looking just at payments or retail banking in general, passwords look like they’re on the way out. Or are they? According to Atom, the average person has 19 passwords, which clearly poses a significant challenge to memorize them all. Consumers are told to use different passwords for different accounts, as it’s safer.


But how often do you have to reset a password because it’s been forgotten? It’s not a great experience for the customer and so people simply use the same password across multiple accounts.


As Atom again points out, though, one in three are just not strong enough. And that is a worrying statistic given just how easy it is for criminals to steal credentials. With passwords, it’s often a case of weighing convenience against security. Which is exactly why biometrics are proving so popular. With a fingerprint scan there is no need to compromise.


Ajay Bhalla, president of enterprise security solutions for MasterCard, commented: “All of us want a payment experience that is safe as well as simple, not one or the other. We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.”


At the moment, though, passwords will remain in place alongside biometrics as they form an important backup. For example, logging into the new iPhone devices still sometimes requires a password as the Touch ID fingerprint reader doesn’t always scan the finger successfully.


"Despite continued cries for intervention, the user ID and password will remain the primary authentication method that consumers use to access their various applications," argues the Atlanta Fed's Retail Payments Risk Forum.


Clearly, until the biometric technology is bulletproof from a user experience point of view, passwords will be here to stay. But let’s not forget that authentication, whether through passwords or biometrics, is just one part of the picture when it comes to protecting our accounts – intelligent fraud detection systems are essential so that even if a criminal manages to gain access, you can stop a fraudulent transaction in its tracks.


Dena Hamilton

GM/Director, Enterprise Fraud & Security Software Solutions

Other articles by this author

Dena specializes in fraud, risk, compliance and security with over 35 years in the financial services space. Her focus is in the development and deployment of enterprise financial crime solutions optimized in prevention, detection and back office efficiency.