Passwords are becoming passe on Wall Street, as more and more firms are turning to new biometrics-based account identification tools to keep client data safe, secure and breach proof from cyber-thieves.
Some pretty big financial industry names are already on board.
"It's time to move away from passwords so that that the body becomes your password," said Tim Sloan, CEO at Wells Fargo, at the FinTech Ideas Festival in San Francisco in January. Wells Fargo is in the midst of a technology transformation that relies on biometrics authentication to enable customers to sign onto accounts.
Wells Fargo isn't alone. USAA has seen its customer usage of biometrics double from two years ago, with two million out of five million users signing onto accounts via facial recognition, fingerprints or voice recognition technologies. The use of biometrics is so pervasive at USAA that new clients are automatically lock new clients into biometrics-based account log in when they open an account.
At Edward Jones, clients can now sign onto their accounts via thumbprint on their smartphones. For the investment giant's 15,000 financial advisors, a touch-based account identification system is on tap next.
"Biometrics isn't science anymore," says Tony Chew, cybersecurity director at Citibank, who echoes the sentiments of many financial industry executives. "This is a business decision."
But more than just business, biometrics is on the fast track due to standard corporate operational objectives.
"It's all about security plus convenience," says Jessica Gagner, a communications and events strategy director at BioConnect, a technology company that specializes in biometric software. "What a lot of financial institutions are finding is that biometrics provides both a better user experience for their client base reducing the cost of operational friction and because passwords and PINs aren't unique to an individual, there are big gaps in security."
Simple cyber-defense plays a big role, too, as biometrics takes flight. Gagner says that, for investment firms, the traditional password (or multi-factor authentication, i.e. something you know, something you have and something you know) has been the standard account identification for decades, but they're not up to the task of locking out increasingly sophisticated cyber fraudsters.
Case in point: 63% of data breaches are the result of using weak, default or stolen passwords, according to the 2016 Verizon Data Breach Investigations Report. In addition, seven in ten people no longer trust people to trust their online accounts, and 28% of households say they are ready to move to a more "innovative" financial institution.
In biometrics, both companies and clients like what they see.
"Biometrics offers options, as it comes in many forms - the physiological, being fingerprint, face, voice, eyes, as well as behavioral biometrics, which leverages the way you walk, talk, type, and write your signature," says Gagner.
For financial firms looking to shed passwords and go the biometric route, Gagner advises focusing on a multi-pronged strategy. "Don't just focus on one type of biometric," she says. "Context matters, and whether your customer is calling into a call center, logging into their online banking or transferring money, firms need to remember that it's the same person. Consequently, there needs to be choice and flexibility in how people authenticate using biometrics."
Leveraging a multi-modal approach also ensures that investment firms have greater flexibility in deployment options for the future. "Want to implement and provide fingerprint tech for your customers today? What about in three years? The answer is to make it scalable by not tying yourself to one particular technology," she says.
Even so, the most common forms of biometrics still rely, in some form, on password authentication technologies, says Mike Wilson, chief executive officer at PasswordPing, a technology security firm based in Boulder, Colo. That suggests a gradual phase out from passwords, as security risks must be evaluated in any technology tool transition to biometrics.
"Fingerprint authentication is commonplace, with facial recognition available in some cases as well," says Wilson. "However, in all cases the user must still authenticate first with their password prior to activating the biometric authentication option the first time and the password can be used in lieu of the biometric, so ultimately this approach is only as strong as the user's password."
While biometrics is increasing in popularity, Wilson believes there is a "misconception" that biometrics is a replacement for passwords.
"For high value assets such as financial accounts and funds transfers the recommended strategy is still a multi-layered approach," he says. "Any single authentication layer is much less secure than multiple layers, especially when combining the "something you have" with the "something you know" approach to multi-factor authentication. Passwords can be compromised. Biometric data can be spoofed. Smartphones can be stolen."
"It makes sense to raise the bar for high value targets by requiring an attacker to compromise multiple vectors," Wilson adds.
Wilson says that, in many ways, biometric authentication is simply exchanging passwords for another form of identifying data that can be easily compromised. "Biometric authentication systems have been shown to be exploitable via a number of techniques," he says. "One problem is the data is inherently public. One can easily find photos of someone's face, apps exist to record and spoof someone's voice, and fingerprints are left on everything we touch. Another issue is, unlike a password or PIN, once the data representing someone's fingerprint, face, or eye retina, are exposed, there is no way to change it."
"In absence of an additional layer, an attacker able to circumvent the biometric sensor and feed the data directly to the authentication system could then authenticate as that user at will," he says.
Even with some work to do better securing biometric data, the die seems cast, and for Wall Street, at least, passwords are on the way out and biometrics are on the way in as we near the midway point of 2017.
The big investment firms are already on the case - as usual, expect the smaller ones to follow - eyeball to eyeball.