When Apple talks, who doesn’t listen? In mid-September the Cupertino, Calif., tech behemoth announced it would make fingerprint authentication available on its new iPhone 5S and immediately, across financial services, the question was raised: Will this impact mobile banking logins?
At the crux is the realization that the traditional username/password login is broken. There are way too many compromised logins and thus a rush to perfect other forms of authentication, often biometric.
There had been a logjam of biometric formats – voice, eyeball, fingerprint all vied for attention – but just maybe Apple’s vote for fingerprints is the game changer. Financial technology expert Jim Marous said that after Apple’s fingerprint announcement he surveyed a cross section of financial tech experts and the opinion that came back was that “this will be the tipping point for fingerprints.”
A big plus of fingerprints: You always carry your finger with you and generally it remains unaffected by transient factors (such as a bad cold that can play havoc with voice recognition or an allergy attack that can cause eyeballs to get unrecognizably red).
Understand this, Apple’s Touch ID is a limited-purpose tool. It’s a way to log in to an iPhone (replacing the four digit passcode which only an estimated one in two users ever activate). It also can be used for purchases in Apple’s Apps Store and iTunes. Elsewhere – no. “Apple is limiting the use cases because they know they will tweak Touch ID,” said Vince Arneja, a vice president at Bethesda, Md.-based security firm Arxan Technologies.
Another fact: Experts consulted by Credit Union Times could not name a single US credit union that deploys fingerprint technologies in member facing applications. Many hundreds use fingerprint tools with employees (to gain entry to a vault, for instance, or to log into a computer). Redwood City, Calif., fingerprint company DigitalPersona alone claims “100 to 200” credit union customers, per spokeswoman Lori Paxton, but she acknowledged all the uses have been employee facing.
Until now, credit unions have stayed away from asking members to authenticate themselves with fingerprints because it somehow seemed clinical, off-putting. Security expert Robert Siciliano said, “Consumers have been and are still a little scared of biometrics. Fingerprints are considered private and if they are hacked then what? “
That fear may vanish with Apple’s involvement, said Jay McLaughlin, chief security officer at Austin, Texas-based Q2ebanking. “Touch ID will be viewed as a neat feature, not an annoyance,” predicted McLaughlin. “People will think this is cool,” mainly because Apple has proven genius in persuading millions that wherever it goes, there is cool.”
Added Siciliano: “[Touch ID is] the first step in millions of consumers getting used to giving up a fingerprint for authentication. This hardware will undoubtedly put consumers’ minds to rest that it’s OK to make a purchase using a fingerprint.”
That sets the stage for where this potentially gets interesting for credit unions. Richard Henderson, security strategist for Fortinet's FortiGuard Labs, wrote in an email: “The wide-scale implementation of a biometric authentication device on this scale, coupled with Apple's famous attention to ease-of-use interface design, means that we may be on the cusp of finally moving away from simple single-factor authentication into multi-factor authentication.”
Arneja, too, notes that his company, Arxan, is seeing fast-rising interest on the part of financial institutions in possibly deploying fingerprint authentication technologies in customer/member uses. “We are seeing huge interest,” he said, adding that it probably will be a matter of short weeks before leading Android smartphone makers – such as Samsung and Google-owned Motorola – also announce that fingerprint technologies are on the way to those phones.
Henderson pointed the way to the next chapter: “Simple tasks such as unlocking your phone generally don't need two-factor authentication, but logging on to your mobile banking client would be a perfect candidate for extension of the sensor: using your password plus being asked to scan your finger would likely prevent all but the most determined or talented malware authors from stealing your banking credentials.”
Just maybe, once Apple (and its Android fellow travelers) acclimates users to fingerprints, it is entirely possible that mobile banking login will become multi-factor, involving a user name, perhaps device authentication (mobile phones have unique IDs that appropriately equipped systems can read), possibly an old-fashioned password, and, lastly, a fingerprint. Time elapsed might be a tick more than today’s login, but the payoff would be dramatically better security.
That is why, suddenly, there is abundant optimism that we just may be very near a dramatic upgrading of mobile banking security.