Wells Fargo & Co. will roll out biometric logins for its corporate customers in the first half of 2016, Bank Innovation has learned.
The San Francisco-based bank will employ eyeprints, as well as face and voice recognition.
Wells is doing this because new forms of authentication are desperately needed to secure mobile banking beyond the smartphone — namely, in the Internet of Things. It’s simply not feasible for customers to type in a ten-digit password every time they order a gallon of milk with their smart fridges.
And password fatigue is already upon us, particularly among corporates, who use more passwords and often have to change them frequently.
Innovators like Moven are doing their part to kill the password — Moven determined 80% of user actions were low-risk enough to require no login at all — but it’s the big banks everyone is waiting on to lead the charge.
Wells Fargo has been working on this for quite some time and is ready to bring it to market this year, the bank told us. The eyeprint technology is provided by EyeVerify, which was one of the companies in the inaugural class of Well Fargo’s startup accelerator, launched in 2014. EyeVerify maps the veins in users’ eyes to produce its eyeprints. The two companies began working together even before the accelerator launched, according to Wells Fargo.
The EyeVerify solution — as well as an alternative known as “face and voice” — will go live for Wells Fargo corporate customers in the first half of 2016, according to Secil Watson, head of wholesale internet solutions. Face-and-voice technology, which pairs facial recognition with voice recognition and which Wells is pursuing in a separate effort, is provided by two different companies: Cognitec, based in Dresden, Germany, does the facial recognition, while New York-based SpeechPro authenticates the voice.
Watson discussed using face and voice as long ago as last summer. Speaking to Bank Innovation this week, Watson emphasized the importance of choice. In other words, biometrics will not replace passwords and the like, she said. Rather, it will be offered in addition to them, at least initially. Phasing out passwords and other less secure authentication methods is the eventual goal.
Piloting the eyeprint solution began in July 2015, Watson said, when EyeVerify’s technology emerged from the accelerator with a significant improvement: instead of requiring users to move their eyeballs up and to the right, which felt awkward and unnatural to many, users could simply look straight into the camera.
Corporate users are used to a more elaborate security regime than consumers, so the change can’t come fast enough. Hard tokens kept on keychains or necklaces are often employed by treasurers as an additional security factor, and passwords often need to be changed every three months.
On the consumer side, the vision is much the same. Biometrics will be introduced alongside traditional methods, with the eventual goal of phasing out passwords. But even sooner than that, Watson said, the bank would like to retire the challenge questions still used for authentication purposes. (“What was the name of your first-grade teacher?”)
“We will be retiring challenge questions,” Watson said. “It may be a long time, but challenge questions and passwords will be retired.”
The reason is not so much that they are annoying as that they are less safe than biometric methods. It should be noted that Wells Fargo weighs EyeVerify and “face and voice” equally in terms of risk — which is to say, much less risky than passwords and challenge questions.
Passwords can’t be retired fast enough, but in other areas, Wells Fargo had to slow things down. An unexpected issue that arose in the bank’s tests with EyeVerify was the speed of the solution. Users were being authenticated so quickly that users would be unsure the authentication event had taken place properly.
“It was almost too fast,” Watson said. “We had to slow down EyeVerify.”
This is reminiscent of Marqeta’s Jason Gardner commenting that mobile payments also require an “event,” a notification that payment has taken place and the customer can take his stuff and exit the store without being challenged. It’s not just technology, it’s the experience.
“The iPhone 6S is the same way,” Watson said. “Your touch can open the device too quickly with TouchID. Sometimes it feels like you’re authenticated before your finger even touches the phone.”
Take note, Apple. As mobile devices grow ever more powerful, they may need to scale back more features in order to suit human expectations and ensure comfort with the device.
Find out more about the future of banking technology at Bank Automation Summit.