Weary of passwords, mobile banking users warm to biometrics

Much as banks might want to get rid of the use of usernames and passwords for online and mobile banking, they still bump up against a harsh reality: Nearly 75% of consumers in a recent study said they use that method when logging in to banking accounts.

But consumers are also warming to stronger authentication methods as they become more exposed to them on their smartphones and other devices. And regulatory pressure, both within the U.S. and in other countries, is gradually pushing banks and other companies to reduce their reliance on usernames and passwords. As a result, the day banks can ditch passwords may be coming sooner than once was thought.

"Banks of all sizes continue to innovate when it comes to security," said Paul Benda, senior vice president of operational risk and cybersecurity at the American Bankers Association. "With so many people using face ID and fingerprint authentication on their smartphones, consumers are a lot more comfortable with using biometrics."

This is one of several signals in the banking and payments industries that indicate a "large-scale movement away from passwords" in the next year or two, said Phil Dunkelberger, CEO of Nok Nok Labs in San Jose, California, a founder of the Faster Identity Online Alliance.

The alliance is a consortium of tech providers for website developers, financial services, payments networks and others. The group has developed protocols that incorporate biometrics to replace usernames and passwords.

"Many bank apps already offer biometrics as an option by allowing customers to log in with their biometric ID, but not all customers use a smartphone, so I see it as an alternative to the username and password rather than a replacement," Benda said.

In many cases, the username and password is just "the first lock you have to get through, and the second is some form of multifactor authentication that adds another layer of security to accounts,” he added.

Momentum for dropping usernames and passwords as login mechanisms could be a byproduct of regulations like PSD2 in Europe, which bans the use of usernames, though it does say passwords or PINs could remain part of a two- or three-factor authentication method.

The Office of the Comptroller of the Currency this month issued new guidance that also highlighted the cybersecurity risks of online and mobile banking. The guidance emphasized to banks that various layers of security were vital as cyberattacks mount, citing the weakness of single-factor authentication — most often a username and password.

"In the U.S., we are mostly stuck with usernames and passwords, but regionally it is moving and the regulatory environment is saying better authentication signals are needed," said Dunkelberger, adding that the trend is becoming increasingly important as the number of people relying on devices for so many facets of their lives continues to grow.

"The easiest low-hanging fruit is to talk about the context of passwords, because they get stolen and everybody hates them and says to get rid of them," he added.

Several banks did not respond to requests for comment on this topic.

Another driver of change would be if more financial institutions decide to follow the lead of major corporations and adopt embedded or biometric authentication processes for access to mobile or online banking.

Examples include Amazon’s Amazon Go concept for contactless or no point-of-sale payments and Apple’s thumbprint or facial ID to unlock devices. A mobile or online window seeking a username and password rarely, if ever, appears in those scenarios. Many banks support thumbprint or facial recognition for mobile banking logins.

Eventually, other major businesses and financial institutions will bring on biometrics or other tools for consumers to adopt, Dunkelberger said.

While 74.5% of respondents to a survey Nok Nok Labs/Pymnts published last month typed in a username and password when interacting with banks' online or mobile channels, only 42% said they preferred that method. About 2,127 U.S. adult consumers participated in the study.

Only 22% said they primarily used a fingerprint scan in banking channels; 14% said they preferred that method over others.

However, as many as 52% of consumers living in large cities or urban areas are "very" or "extremely" interested in multifactor authentication methods, meaning a username-password combination is only a part of that scenario.

Nearly 25% of all survey respondents would like to use both a two-factor and three-factor authentication process to obtain more security. Generally, three-factor authentication calls for the consumer to confirm identity through personal questions, connection to a specific mobile device and facial or fingerprint biometrics.

"We have seen that the majority of consumers think passwords are easy to use," said Julie Conroy, research director for Aite-Novarica. "But that’s because the vast majority use them badly, by reusing the same handful of credential pairs across most of their online relationships."

What’s worse is the vast majority of surveyed consumers thought passwords were an effective security mechanism, Conroy noted, adding it means they have a false sense of security.

"The fact that so many consumers prioritize convenience over security" is a problem in the U.S. and any other place in which usernames and passwords continue to thrive, Conroy added.

"The mobile form factor presents the opportunity to introduce alternatives to passwords in a way that increases both convenience and security, but the transition will likely continue to be a gradual one here [in the U.S.], unfortunately," she added.

Some countries have put heavy reliance on passwords in the rearview mirror. In China, Japan and parts of Africa, the use of mobile devices with biometric authentication for payments and access to bank accounts has long been in place.

Scanned QR codes are a popular login method in China, even for consumers logging into a desktop computer via a code from their phones.

British consumers are ready for such a switch. London-based behavior analytics and artificial intelligence-based digital identity provider Callsign says its most recent research shows 64% of U.K. consumers lack confidence in the security of their passwords and only a third update them when prompted to do so by a business or organization.

"Instead of utilizing passwords, businesses should look at leveraging other verification methods to ensure customer security, such as behavioral biometrics that are analyzed against thousands of data points," said Sarah Whipp, head of market strategy at Callsign. "This allows consumers to quickly access services such as online banking while providing security and peace of mind."

As technology continues to advance, whether banks can drop usernames and passwords will depend greatly on what technology consumers have available to them, said Melissa Gaddis, senior director of customer success, global fraud solutions at TransUnion.

"There is technology currently out there as well as tech yet to be built that will allow us to move away from passwords," Gaddis said, referring to biometrics and device identifications.

But it will cause banks and businesses to be extremely cautious about how they would approach or deploy new tools.

"You have to think about the consumer and what they will do from an adoption standpoint," Gaddis said. "As businesses deploy new tech, what will the consumer need to have in order to take advantage of it, and is there a market and population you automatically cut away from your business if they don't have that?"

For reprint and licensing requests for this article, click here.
Authentication Cyber security Fraud prevention
MORE FROM AMERICAN BANKER