No Password? No Problem: Banks Bank on Biometric Authentication

When her bank started offering customers the option of using fingerprints instead of passcodes for mobile banking, Stephanie Pazos signed up right away. For the Boston resident, it was a matter of convenience.

"I can never remember my passcode and I never leave my thumbs at home, so it works out," she said.

The use of fingerprint scans to access a system—like a banking system—is a form of biometric authentication. Other forms include eye scans, voice authentication and facial recognition. To the delight of Pazos and other banking customers, banks are increasingly offering biometric authentication as a substitute for—or compliment to—passwords.

Related: ALWAYS UNDER ATTACK: FIVE MAJOR CYBER THREATS FACING BANKS

Financial institutions have been experimenting with the use of biometrics since at least the 1960s, said biometrics expert Jim Wayman, of San Jose State University. But they faced a number of concerns along the way.

Among them: What happens if certain biometrics don't work for your entire customer base? The fingerprints of older people, for instance, often don't scan very well. Another concern was storing biometric data. What if, for example, a bank's database of fingerprints is hacked?

The introduction of smart phones and tablets with biometric authentication features in recent years, Wayman said, has been a game-changer. The devices can store information generated by biometric markers—a code based on your thumbprint, for instance—and then send secure codes to banks to confirm a user's identity.

"As long as everything that needs to happen, happens on the phone, then the bank only needs to communicate with the phone using the secure transaction code," Wayman said.

And if a certain form of biometric authentication doesn't work for a user, he added, that user can still use more traditional password verification. Since banks don't have to invest very much in smartphone-based biometric authentication methods, it's not a big problem if certain customers don't adopt new authentication technology. "It doesn't cost the banks anything other than minor software modification," Wayman said.

Proponents of biometric authentication claim it's more secure than passcode-based systems. Personal identification numbers and passwords, after all, can be guessed or stolen. But biometric authentication methods aren't necessarily foolproof either. In the past, for instance, fingerprint scanners have been duped by fake fingerprints made with wood glue or latex.

There's also the frightening possibility that someone could press your finger to a fingerprint reader while you're asleep or unconscious. And if you cut your finger, the cut or scar could make your print unrecognizable, denying you access to your account. (If your bank allows you to use more than one finger to confirm your identity, that can help avoid such a problem.)

Lastly, some might worry about the implications for civil liberties. Law enforcement authorities may be able to compel you to use your fingerprint to unlock your phone but, depending on the jurisdiction, they may not be able to force you to enter a password.

If your main concern is security, however, password and internet security expert Whitney Hewatt at the Financial Industry Regulatory Authority suggests an alternative: use both biometrics and passwords.

Hewatt advises online users always seek to use multiple authentication factors whenever possible, since all forms online authentication methods have their weaknesses. This is known as multi-factor authentication. In addition to biometrics and passwords, it could include receiving a text message or e-mail with a unique code every time a user logs in.

“Biometrics, by itself, isn’t the best idea, but as a second authentication factor, it’s great,” he said. “Security—not convenience—should always be the number one goal.”