With little fanfare, JPMorgan Chase on Monday (Sept. 12) reversed its security position on its mobile app, removing the need to type in a password once a customer has already been authenticated by either Apple's Touch ID or an Android biometric scan. Before Monday, Chase customers could log in using a biometric scan and see things such as balances but needed to authenticate themselves again with a password for transferring funds or making a payment. Now the biometric scan is sufficient for all bank functions.
This is the latest in the battle between security reality and security perception. From a pure security perspective, any decently implemented biometric authentication (fingerprint, in this case) is far more secure than most passwords. But because of the biometric scan's ease and speed, some retailers and bankers feared that consumers might not perceive a transaction as secure unless the app also forced the typing of a password.
Chase spokesperson Rebecca Acevedo said the change was caused by data coming from various handset makers.
"About a year ago, Chase implemented Touch ID on iOS. We were the first major U.S. bank to do so. When we launched in 2015, we included a second step to the process that asked consumers for a password to transfer money or pay bills," Acevedo said. "Over the past year, the mobile phone manufacturers have continued to provide additional analytics into the level of security for Touch ID. We also heard from our customers that a one-step process would make banking easier, so we updated the mobile app to just biometrics."
For the record, Chase said that it added biometric support for its Android app in March 2016.
As for what those additional manufacturer-provided analytics told Chase, Acevedo said, "Unfortunately, we can’t share that information, but that information has made [Chase officials] more comfortable." As for Chase having "heard from our customers that a one-step process would make banking easier" — really? Chase needed customers to tell it that reducing authentication from two steps to one would be easier? Isn't that inherently obvious?
Chase confirmed that it will now allow all functions without passwords, relying solely on biometrics. Obviously, that is limited to anything actually on Chase's site. "There are some sites that we link out to from the mobile app that require you to sign in," Acevedo said.
This is an important development. Unlike a similar biometrics headache that hit retailers back in May, that retail problem stemmed from processor systems that couldn't see if a biometric authentication had already taken place. Therefore, it demanded a signature after a fingerprint scan verification already happened. That retail issue was doubly infuriating because, unlike PINs and passwords, signatures deliver absolutely nothing today in terms of secure authentication.
But Chase's systems always knew when a biometric authentication was used, making the password demand truly annoying and pointless. I would love to see what data the handset makers provided that told Chase anything it didn't already know. From a security perspective, all the phone makers could have shared would be how popular the biometric authentications are and how few successful authentication frauds have happened.
The most likely data is simply a change in how consumers perceive biometrics. As long as customers see biometric authentication as more secure, there is little to no perception risk in abandoning passwords/PINs on top of it.
One problem here is that multifactor authentication assumes that the various factors are all independent and secure. Adding signature on top of PIN, for example, is not a viable MFA approach because signature adds no meaningful verification. Given how easy PINs and passwords can be to shoulder-surf or to steal in other ways, such as sniffing or keystroke-capturing, biometrics makes sense. If you want to marry that to, perhaps, a one-time access code messaged to a phone and only good for x minutes from point of transmission, fine.
But I think the death of the password is long overdue.
In geeky news, Chase also said that it was incorporating 3D Touch functionality into the app. That's where iPhones/iPads can perform differently based on how hard a user presses the screen. Chase said that users of its iOS app can now use 3D Touch "to quickly access ATM and Chase locations near you by pressing on the app icon."
That's a nice trick, but ditching the superfluous password was much more comforting.