The banking password might be about to expire — forever.
Some of the US’ largest banks, acknowledging that traditional passwords are either too cumbersome or no longer secure, are increasingly using fingerprints, facial scans and other types of biometrics to safeguard accounts.
Millions of customers at Bank of America, JPMorgan Chase and Wells Fargo routinely use fingerprints to log into their bank accounts through their smartphones. This feature, which some of the largest banks have introduced in the past few months, is enabling a huge share of US banking customers to verify their identities with biometrics, and millions more are expected to opt in as more smartphones incorporate fingerprint scans.
Illustration: Tania Chou
Other uses of biometrics are also coming online. Wells Fargo lets some customers scan their eyes with their smartphones to log into corporate accounts and wire millions of dollars. Citigroup can help verify 800,000 of its credit card customers by their voices. USAA, which provides insurance and banking services to members of the military and their families, identifies some of its customers through their facial contours.
Some of the moves reflect concern that so many hundreds of millions of e-mail addresses, telephone numbers, Social Security numbers and other personal identifiers have fallen into the hands of criminals, rendering those identifiers increasingly ineffective at protecting accounts. And while thieves could eventually find ways to steal biometric data, banks are convinced they offer more protection.
“We believe the password is dying,” said Tom Shaw, vice president for enterprise financial crimes management at USAA, which is based in San Antonio. “We realized we have to get away from personal identification information because of the growing number of data breaches.”
Long regarded as the stuff of science fiction, biometrics have been tested by big banks for decades, but have only recently become sufficiently accurate and cost effective to use in a big way. It has taken a great deal of trial and error: With many of the early prototypes, a facial scan could be foiled by bad lighting and voice recognition could be scuttled by background noise or laryngitis.
Before smartphones became ubiquitous, there was an even bigger obstacle: To capture a finger image or scan an eyeball, a bank would have to pay to distribute the necessary technology to tens of millions of customers. A few tried, but their efforts were costly and short-lived.
PRIVACY CONCERNS
Today, the equation has changed. Many models of the iPhone have touch pads that can scan fingerprints. The cameras and microphones on many mobile devices are so powerful that they can record the minute details needed to create a biometric ID.
The smartphones also provide an extra layer of security: Many biometric features will only work when used on the specific smartphone that belongs to the bank account holder.
“If you have your phone and you are authenticating with your fingerprint, it is very likely you,” said Samir Nanavati, a longtime biometrics expert and a founder of Twin Mill, a security software and consulting firm.
The trade-off, of course, is that in the quest for security and convenience, customers are handing over marks of their unique physical identities. After all, it is easy to change a compromised password, but a fingerprint must last forever.
Some bank executives say customers often ask whether their biometric information will become part of a private database, akin to what the FBI keeps.
The banks themselves are not keeping caches of actual fingerprints or eye patterns. Rather, the banks are creating and storing what they call templates — or what amount to long, hard-to-predict numerical sequences — based on a scan of a person’s fingerprint or eyeballs.
It is possible that the thieves could use the biometric templates to steal money, but the banks say they have worked to develop additional safeguards. With some voice authentication systems, banks use certain prompts to prove it is a living customer and not a recording. Many eye scans require customers to blink or move their eyes to prevent a thief from using a photograph to gain access.
TOP-LEVEL SECURITY
Wells Fargo has been working with EyeVerify, a startup in Kansas City, Missouri, to develop its eye scan feature, which is being tested with a small group of corporate customers. The technology creates a map of the veins in the whites of an eye.
To log into an account, a customer taps open a Wells Fargo app on a smartphone. When prompted, the customer’s eyes are lined up with a pair of yellow circles on the smartphone screen. If they match, the customer — typically a chief financial officer or other top executive — gains instant access to the account and can start moving money or conducting other transactions.
Wells Fargo executives said the eye scan could eventually offer an alternative to the authentication system used for corporate accounts, which involves physical tokens that generate numeric pass codes every few seconds. Although generally considered secure, these tokens can be a hassle to carry around.
For now, Wells Fargo is offering eye scans — among the most foolproof biometric technologies, according to security experts — only to select corporate customers, for whom the stakes are arguably higher because there is potentially so much money involved.
“It is harder to take someone’s eyeball than someone’s user ID and password,” said Steve Ellis, who leads Wells Fargo’s innovation group that worked on developing the eye scan authentication.
The bank also made an investment in EyeVerify.
Instead of eye scans, Bank of America has embraced fingerprints. Since it began offering the option in September last year, about 33 percent of the bank’s 20 million mobile banking customers have started using a fingertip to get into their accounts.
There are limits, though, on how far an average retail customer can proceed through the banking process without a password.
For example, JPMorgan Chase customers can gain access to their bank accounts with their fingerprints, but have to use a traditional password to transfer money.
Still, the speed and accuracy of the banks’ biometric capabilities are especially notable because they are emerging from an industry known for its antiquated system of tellers and branches and endless reams of paperwork.
Wells Fargo’s eye scan technology, for example, worked so quickly that the developers had to slow it down by a few seconds so customers knew it had actually registered their identities.
It takes only about 40 seconds to capture enough information about a customer’s vocal patterns to create a voice imprint that can be used as a form of identification, according to Andrew Keen, director of program management for Global Consumer Operations at Citigroup.
Once a print is established, it can reduce the time that customers spend identifying themselves to a call center representative.
Many financial firms emphasize the convenience of biometrics, but USAA is one of the few that highlights the effectiveness of these technologies at thwarting thieves.
Since the bank began offering biometric authentication early last year, more than 1.7 million customers have been accessing their accounts using either their fingerprints, voices or facial scans.
“We can’t rely on personal identification information any longer,” Shaw said. “We believe we have to rely on biometrics.”
Recently, China launched another diplomatic offensive against Taiwan, improperly linking its “one China principle” with UN General Assembly Resolution 2758 to constrain Taiwan’s diplomatic space. After Taiwan’s presidential election on Jan. 13, China persuaded Nauru to sever diplomatic ties with Taiwan. Nauru cited Resolution 2758 in its declaration of the diplomatic break. Subsequently, during the WHO Executive Board meeting that month, Beijing rallied countries including Venezuela, Zimbabwe, Belarus, Egypt, Nicaragua, Sri Lanka, Laos, Russia, Syria and Pakistan to reiterate the “one China principle” in their statements, and assert that “Resolution 2758 has settled the status of Taiwan” to hinder Taiwan’s
Can US dialogue and cooperation with the communist dictatorship in Beijing help avert a Taiwan Strait crisis? Or is US President Joe Biden playing into Chinese President Xi Jinping’s (習近平) hands? With America preoccupied with the wars in Europe and the Middle East, Biden is seeking better relations with Xi’s regime. The goal is to responsibly manage US-China competition and prevent unintended conflict, thereby hoping to create greater space for the two countries to work together in areas where their interests align. The existing wars have already stretched US military resources thin, and the last thing Biden wants is yet another war.
As Maldivian President Mohamed Muizzu’s party won by a landslide in Sunday’s parliamentary election, it is a good time to take another look at recent developments in the Maldivian foreign policy. While Muizzu has been promoting his “Maldives First” policy, the agenda seems to have lost sight of a number of factors. Contemporary Maldivian policy serves as a stark illustration of how a blend of missteps in public posturing, populist agendas and inattentive leadership can lead to diplomatic setbacks and damage a country’s long-term foreign policy priorities. Over the past few months, Maldivian foreign policy has entangled itself in playing
A group of Chinese Nationalist Party (KMT) lawmakers led by the party’s legislative caucus whip Fu Kun-chi (?) are to visit Beijing for four days this week, but some have questioned the timing and purpose of the visit, which demonstrates the KMT caucus’ increasing arrogance. Fu on Wednesday last week confirmed that following an invitation by Beijing, he would lead a group of lawmakers to China from Thursday to Sunday to discuss tourism and agricultural exports, but he refused to say whether they would meet with Chinese officials. That the visit is taking place during the legislative session and in the aftermath