December 25, 2015
Security is the topmost concern of the financial services industry today. Passwords have been the most common and the oldest way to keep accounts and personal data secure. But for how long? It's difficult to keep a track of all the passwords. With the growing number of apps and websites being used today, the list of passwords keeps growing as well. Also, there is the question of whether passwords are safe anymore. Several surveys have revealed that people use same passwords across their Internet accounts. Over half of Internet users get at least one phishing email per day. According to Consumer Reports, the cost of phishing is almost $500 million per year in the United States alone. On top of that, there are computer software programs like Hashcat, which can crack passwords up to 55 characters. Given the increasing levels of vulnerability of passwords, we at Let’s Talk Payments wonder if 2016 should be a password-free year.
What motivates us to think of 2016 as a password-free year is Google’s recent pilot involving password-free logins that involve signing into Gmail without a password. How does that work? Basically, you enter your email address in Gmail and receive a notification on your phone. When tapped Yes, it will let you automatically login via your computer. Google’s new feature is conceptually same to Yahoo’s recently launched Account Key feature, which works in a similar fashion and opens up the Yahoo Mail app for the user to approve the login.
As discussed in our recent podcast, we think passwords must go away in 2016. More than a decade ago, Bill Gates predicted that there will be a decrease in the usage of traditional passwords for data security and thought that traditional passwords just don’t meet (and exceed) the challenge of security. Ten years after Bill Gates’ prediction, Microsoft came up with Windows Hello in the new Windows 10, where users can login into their PCs using face recognition.
In the FinTech industry, Apple has done a brilliant job of taking people away from passwords by introducing TouchID. Apple claims you would have to try 50,000 fingers to find a random match, which it argues is much more secure than the one-in-10,000 chance of guessing a four-digit passcode. Apple’s TouchID has been a huge success as banks and financial institutions are incorporating the feature in their banking mobile apps. Like Apple Pay, Samsung Pay also has biometric authentication techniques where a user will be able to authorize payments by holding their finger on the home button.
Very rapidly, biometric authentication is replacing the term "password," especially in FinTech. This is true not just for the US but globally as well. Banks in countries like Poland are way ahead in biometric authentication adoption. Polish banks offer two kinds of biometrics: fingerprints and voice recognition. Voice authentication is offered by Meritum Bank and Smart Bank. Fingerprints recognition is available in mBank, Millenium Bank, Meritum Bank and ING Bank Śląski applications. Other banks keep preparing to implement the innovations as well. And it is not just fingerprints and voice recognition that may potentially replace passwords. There are other modalities like voice recognition, heartbeat recognition and iris recognition in the picture.
While there are a few companies like Excalibur and Passwordpack which let people put all their passwords in one place with one login, that doesn’t really take passwords away. The other technology taking people away from passwords is the security token or cryptographic token. However, it requires the users to carry additional device/s with them. There are some great startups, which are actually trying to take people away from passwords:
One You/1U: Hoyos Labs, a company known for its digital infrastructure security solutions, has launched an app called 1U which could replace the need for usernames, passwords and PINs. 1U leverages a user’s smartphone capabilities to acquire the user’s biometrics. This acquired information can then be used to replace login information for thousands of websites (including non-standard websites) that require additional information like a site key in addition to a username and password.
PulseWallet: PulseWallet’s solution already enables users to pay for products with just their finger but according to the company, the problem with this setup is that the fingerprints can potentially be lifted. PulseWallet partnered with Fujitsu Frontech to make use of their PalmSecure biometric technology. The integrated PalmSecure vein imaging technology allows merchants to provide a secure payment option, whilst giving users an all-in-one payment system for them to access their e-wallets.
PayTango: Y Combinator-backed startup PayTango seeks to enable customers to pay via fingerprint scans. PayTango’s system links a form of payment such as a debit/credit card to a user’s fingerprint. The user will then have to place the index and middle finger on the biometric fingerprint scanner to make the payment, and the software immediately recognizes the user.
Recently, MasterCard also announced a pilot where customers will have to take selfies via their smartphones through MasterCard’s app to make their purchases. In September 2015, Visa announced their EMV chip-based biometric specification. South Africa’s Absa Bank, a subsidiary of Barclays Africa Group, is the first to pilot a new specification that combines biometrics with Visa’s EMV chip card transactions. It is hard to predict where biometrics is exactly going, but FinTech is definitely exploring all the possibilities for biometric authentication. The next two to three years will be big for biometric authentication as financial institutions adopt it at a massive scale. The mobile ecosystem is also putting its force behind biometrics. Samsung is, in fact, planning to deploy fingerprint sensors in its budget smartphones as well.
So, the answer to the question whether biometric authentication will replace passwords in 2016 cannot be stated with certainty. Mobile banking apps may have fingerprint authentication, but banks are still experimenting with facial or iris recognition for online banking login via computers. Card networks like Visa and MasterCard are still piloting different biometric modalities. The process of transitioning from passwords to biometric authentication has taken place and we will see the results in the next two to three years.