Good-bye username plus password, hello smartphone plus thumbprint
Fingerprints, rather than passwords, are what more than a million financial services customers at USAA use to get online. Part of a trend toward multi-factor authentication (MFA), there is no stored list of passwords for hackers to steal.
In 2014, San Antonio-based USAA became the first financial institution to roll out facial and voice recognition on a mobile app, says Gary McAlum, USAA’s chief security officer. Thumbprint recognition followed a few months later. A year after that, USAA had 1.1 million enrolled MFA users, out of a target population of 5 million mobile banking app users.
“The security model of the Internet is a legacy model, a dying model, based on information that is known — your password or your high school mascot, for instance — all of which is readily discovered from data breaches or from Facebook,” notes McAlum. “Getting away from ‘information that is known’ is imperative to us.”
As the alternative, “Pretty much every bank in the world is using a form of MFA, if they are compliant with regulations,” says Avivah Litan, Gartner security analyst. For decades MFA often amounted to a “secure token,” a small device that displayed a one-time password that changed every few minutes. The bank’s security server had the same algorithm and would recognise the latest, correct password.
“But MFA has always been too complex and expensive for broad usage,” says Jon Oltsik, security analyst at the Enterprise Strategy Group. “What’s changing now is the use of consumer technologies, primarily smartphones, and increasingly the use of biometric factors like thumbprint readers on smartphones.”
“MFA is something you know, something you have and something you are — and you can’t rely on just one,” says Michael Lynch, chief strategy officer at authentication software firm InAuth. “Something you know is a credential like a password. Something you have could be a secure token, but with mobile you’re using the phone as a secure token. Or it could be the PC. Something you are is biometrics, such as fingerprint, iris, voice or pulse recognition.”
Other biometric factors, in use or proposed, include heartbeat, typing speed, vein patterns in the whites of the eye or in the skin, walking gait, location and long-term behavior patterns. Iris recognition requires a camera with infrared functionality.
Some are still using two-factor security. The traditional name-password combination typically counts as one factor, and the device is the second, Lynch says, while the trend (as with USAA) is to use a mobile device as one factor and a biometric property detected by the device as a second factor, with no password.
For a desktop, Lynch explains that “browser fingerprinting” can be used as a second factor, by gathering information about the machine’s fonts, language, application and browser type.
“The machine’s fingerprint changes over time, as applications are updated or patched, so the fingerprint typically lasts 60 days or less,” which is why a bank’s log-in requirements may suddenly change for a desktop user, Lynch says. The combination of a cookie and the browser fingerprint is more reliable, he adds. (Cookies can last for as long as the browser is installed but a given machine may not allow them.)
“But you don’t have to see the second factor — the bank is checking your PC through a cookie, almost always,” Litan notes. If the bank doesn’t recognize a machine, it will often send a one-time password to that user’s cell phone number or email address, she adds.
As for biometric factors for mobile devices, “Fingerprint ID is big because it’s often built into the platform, it’s convenient and users are used to it, but it’s no better or worse than other ID methods,” says Jim Ducharme, vice president at security systems vendor RSA. “We are seeing things like voice and facial being less popular since there are so many ways they don’t work — voice not on a subway, facial not at a nightclub.”
At USAA, about 90% of the users rely on thumbprint recognition, and the log-on success rate for both thumbprint and facial scans is higher than 90%, McAlum says. While voice recognition is subject to more environmental factors, some users still prefer it, he adds. (PIN access is also available so the user will not be locked out if other methods fail, he notes.)
But the choice of what factor to use does not always hinge on technology. “In some places it is not acceptable to use the face as an identifier, since clothing impedes it or they see the eye as the path to the soul,” says Marc Boroditsky, vice president of authentication software vendor Authy. “They may not like fingerprint sensors for various reasons. They think it implies criminality in Brazil. In parts of Asia they think it’s unclean to be touching” the fingerprint sensor.
“Your identity is a personal thing, and when you start using pieces of a person for identification you are encroaching on something with complex cultural implications,” Boroditsky adds. “There is also an element of being spied on with almost every [biometric] factor. There is a creepy element in detecting the users and not involving them in the process. We need to be up-front about it and let the customers opt out. For instance, they could switch off location detection and add another step in the authentication process.
For MFA to work with a mobile device, that device also has to be enrolled so that the online service trusts it. The device will be doing the biometric scan that authenticates the user, so the device must be reliably identifiable to the online service.
McAlum would not give any details about the enrollment process that USAA uses, other than it can be done online, and that the system also establishes some links to the user’s smartphone.
Lynch was a little more open about the enrollment process InAuth uses for smartphones. “First we protect against malware and see if the device has been jail-broke or rooted. Is it moving? That’s good. If it’s always at a 45-degree angle and always plugged in, that’s an indication of a fraud shop. You put factors together for predictive analysis. You can do that with a browser but you can get so much more from a phone.
“We use a permanent identifier to recognise your phone even if you install a new app or a new operating system,” adds Lynch. “It gives us a permanent anchor of that person to that phone. Trusting a device helps you eliminate friction for a customer.”
There are only a handful of major implementations, so we can’t honestly say there is no fraud, but they’d have to hack your fingerprint as well as your device,” says Ramesh Kesanupalli, founder of Nok Nok Labs and vice president of the Fast ID Online (FIDO) Alliance, which promotes industry standards for MFA. Under FIDO’s standards, no personal information such as a description of the fingerprint leaves the device, and authentication is done locally, he adds.
Overall, “There is nothing that can’t be broken, and in our pursuit of the strongest possible authentication we have made the user experience horrible — passwords have to have 12 characters, with upper and lower case and special characters,” says RSA’s Ducharme. “We see things moving towards what we call identity assurance, with multiple factors that individually may not be as strong.”
Scott Petry, CEO and co-found of secure browser vendor Authentic8, agrees: “No one security solution is going to be sufficient, but using a cocktail of things will create speed bumps for the bad guys. Remember the old adage: You don’t need to outrun the bear, just the other campers. MFA will make you more secure than the softer targets.”