Fingerprints, rather than passwords, are what more than a million financial services customers at USAA use to get online. Part of a trend toward multi-factor authentication (MFA), there is no stored list of passwords for hackers to steal.
In 2014, San Antonio-based USAA became the first financial institution to roll out facial and voice recognition on a mobile app, says Gary McAlum, USAA's chief security officer. Thumbprint recognition followed a few months later. A year after that, USAA had 1.1 million enrolled MFA users, out of a target population of 5 million mobile banking app users.
"The security model of the Internet is a legacy model, a dying model, based on information that is known -- your password or your high school mascot, for instance -- all of which is readily discovered from data breaches or from Facebook," notes McAlum. "Getting away from 'information that is known' is imperative to us."
As the alternative, "Pretty much every bank in the world is using a form of MFA, if they are compliant with regulations," says Avivah Litan, Gartner security analyst. For decades MFA often amounted to a "secure token," a small device that displayed a one-time password that changed every few minutes. The bank's security server had the same algorithm and would recognize the latest, correct password.
"But MFA has always been too complex and expensive for broad usage," says Jon Oltsik, security analyst at the Enterprise Strategy Group. "What's changing now is the use of consumer technologies, primarily smartphones, and increasingly the use of biometric factors like thumbprint readers on smartphones."
"MFA is something you know, something you have and something you are -- and you can't rely on just one," says Michael Lynch, chief strategy officer at authentication software firm InAuth. "Something you know is a credential like a password. Something you have could be a secure token, but with mobile you're using the phone as a secure token. Or it could be the PC. Something you are is biometrics, such as fingerprint, iris, voice or pulse recognition."
Other biometric factors, in use or proposed, include heartbeat, typing speed, vein patterns in the whites of the eye or in the skin, walking gait, location and long-term behavior patterns. Iris recognition requires a camera with infrared functionality.
Some are still using two-factor security. The traditional name-password combination typically counts as one factor, and the device is the second, Lynch says, while the trend (as with USAA) is to use a mobile device as one factor and a biometric property detected by the device as a second factor, with no password.
For a desktop, Lynch explains that "browser fingerprinting" can be used as a second factor, by gathering information about the machine's fonts, language, application and browser type.
"The machine's fingerprint changes over time, as applications are updated or patched, so the fingerprint typically lasts 60 days or less," which is why a bank's log-in requirements may suddenly change for a desktop user, Lynch says. The combination of a cookie and the browser fingerprint is more reliable, he adds. (Cookies can last for as long as the browser is installed but a given machine may not allow them.)
"But you don't have to see the second factor -- the bank is checking your PC through a cookie, almost always," Litan notes. If the bank doesn't recognize a machine, it will often send a one-time password to that user's cell phone number or email address, she adds.
As for biometric factors for mobile devices, "Fingerprint ID is big because it's often built into the platform, it's convenient and users are used to it, but it's no better or worse than other ID methods," says Jim Ducharme, vice president at security systems vendor RSA. "We are seeing things like voice and facial being less popular since there are so many ways they don't work -- voice not on a subway, facial not at a nightclub."
At USAA, about 90% of the users rely on thumbprint recognition, and the log-on success rate for both thumbprint and facial scans is higher than 90%, McAlum says. While voice recognition is subject to more environmental factors, some users still prefer it, he adds. (PIN access is also available so the user will not be locked out if other methods fail, he notes.)
But the choice of what factor to use does not always hinge on technology. "In some places it is not acceptable to use the face as an identifier, since clothing impedes it or they see the eye as the path to the soul," says Marc Boroditsky, vice president of authentication software vendor Authy. "They may not like fingerprint sensors for various reasons. They think it implies criminality in Brazil. In parts of Asia they think it's unclean to be touching" the fingerprint sensor.
"Your identity is a personal thing, and when you start using pieces of a person for identification you are encroaching on something with complex cultural implications," Boroditsky adds. "There is also an element of being spied on with almost every [biometric] factor. There is a creepy element in detecting the users and not involving them in the process. We need to be up-front about it and let the customers opt out. For instance, they could switch off location detection and add another step in the authentication process.
"But for a customer solution to work it has to be a pleasurable experience; you don't want them to feel like they are going through airport security in order to buy something online," he notes. Otherwise the online services "won't deploy it and will just live with the fraud."
For MFA to work with a mobile device, that device also has to be enrolled so that the online service trusts it. The device will be doing the biometric scan that authenticates the user, so the device must be reliably identifiable to the online service.
McAlum would not give any details about the enrollment process that USAA uses, other than it can be done online, and that the system also establishes some links to the user's smartphone.
Lynch was a little more open about the enrollment process InAuth uses for smartphones. "First we protect against malware and see if the device has been jail-broke or rooted. Is it moving? That's good. If it's always at a 45-degree angle and always plugged in, that's an indication of a fraud shop. You put factors together for predictive analysis. You can do that with a browser but you can get so much more from a phone.
"We use a permanent identifier to recognize your phone even if you install a new app or a new operating system," adds Lynch. "It gives us a permanent anchor of that person to that phone. Trusting a device helps you eliminate friction for a customer."
If there seems to be something questionable about the user -- such as access from China when the user was in New Hampshire the previous day -- the trend is to impose additional authentication levels rather than simply deny access, although denial is a last resort, notes Lynch. For instance, the online service might send a one-time password to the user's enrolled device for the user to enter, as well as require the user to submit a biometric factor. A hacker not in possession of the device will not get that password and so would never enter it. A thief in possession of the device would probably not be able to spoof the biometric factors.
At least, that's the theory.
"There are only a handful of major implementations, so we can't honestly say there is no fraud, but they'd have to hack your fingerprint as well as your device," says Ramesh Kesanupalli, founder of Nok Nok Labs and vice president of the Fast ID Online (FIDO) Alliance, which promotes industry standards for MFA. Under FIDO's standards, no personal information such as a description of the fingerprint leaves the device, and authentication is done locally, he adds.
Overall, "There is nothing that can't be broken, and in our pursuit of the strongest possible authentication we have made the user experience horrible -- passwords have to have 12 characters, with upper and lower case and special characters," says RSA's Ducharme. "We see things moving towards what we call identity assurance, with multiple factors that individually may not be as strong."
Ducharme explains that a person located in the Ducharme home on a work day, with Ducharme's cell phone and laptop present, using the VPN of the firm he works for, visiting work-related sites he often visits, would likely be himself. "Someone could have stolen my cell phone or could have parked outside my house, but when combined, these factors give us a strong assurance that it's Jim Ducharme," he says.
"How do we find an unbreakable way to prove you are who you say you are? In reality there isn't such a thing," Ducharme says. "We can argue about the reliability of any one factor and talk about the odds of breaking it, but combined they are much stronger. Typically, hackers only attack one factor," he adds.
"No one security solution is going to be sufficient, but using a cocktail of things will create speed bumps for the bad guys," agrees Scott Petry, CEO and co-founder of secure browser vendor Authentic8. "Remember the old adage: You don't need to outrun the bear, just the other campers. MFA will make you more secure than the softer targets."
"The other trend is about providing the right level of authentication," Ducharme says. "Currently we authenticate even before we care who you are. I don't need to authenticate when you're just looking at your bank account -- but when you want to send $10,000 we will want to see an ID. Weaker factors can give us the right level of assurance. You don't need to go through several levels of hell to check your 401(k)."
Regardless of the details, sources agree that MFA is now mainstream. "Banks are recognizing that the bar is moving up in terms of customer expectations," says Conor White, president for the Americas for authentication software vendor Daon.
"Their single biggest mode of interaction with customers is not through the Web or face-to-face at branch banks, but through mobile devices," White notes. "Passwords don't work on small devices. People want instant access and to authenticate anytime, anywhere. It's no longer a choice between security and convenience, you no longer have to compromise -- you can have both."
"We envision a world where there will be no user names, passwords, or security questions," USAA's McAlum adds. "As heartbeat, retina, gait, behavior and typing recognition become mature we will plug those in."