60 Years on, Banks Say it’s Time to Leave Passwords and Embrace Biometrics

Companies have had to ensure the validity of customers interacting with them — while also providing a frictionless experience — since the very dawn of commerce.

Entersekt CPO Pradheep Sampath and Susan Koski, CISO at PNC, told PYMNTS that goal’s been made even harder with the rise of card-not-present transactions. Simply relying on one-time passwords and texts is no real defense against fraudsters.

The urgency is real.

In just one example, SIM swap-related attacks account for a staggering $68 billion worth of fraud, noted the panelists. Fraudsters gain access to sensitive information is through SMS one-time passwords, which are directly subject to fraud. 

As Koski said, “If you look at the history of how we’ve authenticated people, passwords began in the ’60s. We’re now, you know, 60 years into that journey. And we all know these are phishable credentials. We know that the criminals know how to target customers to ask for user IDs and passwords.”

Far-Flung Geographies and Use Cases

But even with fragmentation in authentication methods across different geographies and use cases, it is important to establish uniqueness, to leverage technology in the service of ascertaining identity.

The need for authentication transcends commerce. Sampath explained that amid the great digital shift, “As a customer, I interact with my bank, I interact with my government, I interact with healthcare, telemedicine, eCommerce. So it transcends the various use cases.”

Sampath maintained that there are two challenges in the mix: Organizations have to confirm the uniqueness of their customers — that they are who they say they are. And they also have to establish sameness — that these customers are presenting themselves over and over, while throughout long-running interactions, with the bank. Establishing uniqueness can entail taking a selfie or through a federated identity model, and might include anything from knowledge-based authentication to more modern biometrics-based passwordless.

“The goal is to remove those phishable credentials,” Koski said.

Koski and Sampath contended that biometric authentication is quickly gaining popularity as a more secure alternative to traditional password-based authentication. Not only does it provide a faster and more convenient way for customers to access their accounts, but it also significantly reduces the risk of fraud. Koski emphasized the importance of educating customers on the need for multifactor authentication and the limitations of SMS or email one-time passwords — moving them, gradually, to biometrics in phases.

As she said, “We’re getting there, and the more we can help customers understand putting power in their hands to make decisions, but to use what’s on their native devices as part of their biometrics is really important.”

According to Sampath, “The best way to transition a customer would be to also focus on the user experience, where the call to action could be, ‘Hey, you’re used to receiving an SMS or an email one-time password, and it takes a certain amount of time and effort to put that into your flow to access the use case on the other side of the authentication journey. What if you could use the capabilities that are already ingrained in your device with your personal characteristics, aka biometrics, and make authentication 10 times faster … and needless to say, a lot more secure?’”

Context Is Critical

Looking ahead, Sampath said that it’s incumbent on providers to make sure they understand the circumstances in which customers are presenting themselves — and whether the devices they wield are capable of biometric-based authentication in the first place.

And, as Koski added, there’s the opportunity for financial institutions and other entities to reach out to customers even in less-fortunate moments (when they’ve been targeted by fraudsters, for example), to inform them of the additional layers of defense (and biometrics) that are on offer.

“You can use that as really an opportunity to help the customer get where they need to be — and beyond — during that call and that conversation, when there could be an account-takeover scenario … you can get more folks into the appropriate authentication methods,” Koski said. 

The continuing proliferation of data streams, Sampath said, can offer up context, where federated identity can triangulate interactions and establish a pattern of life between the organization and the customer — across the customer’s desired and preferred authentication mechanism.

“This is the customer, this is their history with us, this is why they’re here doing what they’re doing, and this is the device through which they’re interacting with us. Therefore, let’s make an informed decision that’s risk-based that allows us to present either new, no friction or an expected amount of friction, to help the customer do the job that’s to be done,” he said.