Banking Exchange Magazine Logo

Blink and you’re in, at USAA Savings

Facial, other biometrics speed authentication and enhance security

Blink and you’re in, at USAA Savings

As banking grows increasingly mobile, customers also increasingly demand that mobile apps be both incredibly convenient and incredibly secure. How does a bank do both at the same time?

With regulatory mandates for multifactor authentication, banks have resorted to requiring PINs, passwords, questions about mother’s maiden name, and so forth. On top of this, as customers are transferred from department to department, they often have to re-input the same information. Customers, accustomed to much more elegant treatment on other retail or social media sites, grow impatient with what they perceive as outdated technology.

One solution that’s starting to gain traction is the use of biometric authentication in several different formats—fingerprints, facial recognition, and voice recognition. USAA Savings Bank has embraced all three of these biometric options in a big way. The $1.7 billion-assets institution has 11 million members scattered all over the world. Most reach the bank via digital and mobile means.

Of the total number, says the bank, 6 million have downloaded the mobile app, and 4 million use it on a monthly basis. Of the app users who have enrolled in biometric authentication—about 1.3 million so far—95% use the fingerprint biometric, while voice and facial recognition users are in that last 5%.

Meanwhile, the bank aggressively employs multiple layers of security and authentication to assure robust fraud protection for protection of members and the bank.

“You look at fraud loss avoidance,” says Tom Shaw, vice-president, Enterprise Financial Crimes Management, USAA, in an interview with Banking Exchange. “When you lump in biometrics, texting, Cybercode (an independent authenticator), it’s all two-factor authentication at the end of the day. When we have a member who is on two-factor authentication, the likelihood that they will have an account takeover is almost zero.”

A touching experience

Fingerprint identification, perhaps, is the most familiar form of biometric authentication, enabled most famously by Apple’s iPhone and iPad and their Touch ID feature. Instead of tapping in the usual four-digit code to unlock the device, the owner scans his or her selected fingerprint on a reader integral to the device. Fingerprint identification has been included on newer versions of Android devices as well.

When asked how the bank overcomes the apparent conundrum of making bank account access both easy and secure through biometrics, Shaw says: “Actually it’s easier once you enroll. For example, on your mobile phone, today, if you do not take advantage of fingerprint identification … you have to put in your access ID, password, PIN. That is laborious. It’s just a lot easier to touch your phone and you’re in.”

In fact, in the past year, many banks, big and not so big, have enabled Touch ID on their apps. A quick Google search comes up with Bank of America, Chase, Citibank, PNC, Fifth Third, and First National Bank of Granbury, Texas, to name a few.

Fingerprint authentication first became available generally to USAA Savings Bank members in 2014. The other two methodologies came on line in early 2015.

Facial recognition generally is the second most favored method. To register, users log on to the mobile app and select security options. Once there, if facial feature is desired, the customer is prompted to activate the phone’s forward-looking camera feature and hold it in front of his or her face. The program then takes a picture of the face and registers it in a database.

To facially log in, the customer goes to the login app, holds the phone up—and then the app tells the person to blink. The registered photo, plus the timed blink, prevents some criminal from trying to log in with a static picture of the real customer.

Voice recognition generally involves the member making a recording of a stock sentence that goes into the database. Then, the customer simply repeats that phrase into the app, where it is compared and authenticated.

USAA Savings Bank is a pioneer with face and voice biometrics in the U.S., but banks elsewhere have at least experimented with it. In London, HSBC, for example, has used facial recognition devices to identify employees allowed to go into its data centers. Upstart digital-only Atom Bank, also based in the U.K., intends to use facial and voice biometrics once it opens for business, expected soon.

Beyond biometrics at USAA

Biometrics are just one factor of authentication, which are to be used in conjunction with other layers of security. USAA Savings Bank has employed Cybercode since 2011 as a way to provide out-of-band authentication.

Shaw explains that Cybercode comes in three flavors.

The most popular is a so-called soft token that involves receiving a text message with a randomly generated code. The user has ten minutes to input into the banking app.

Another is a hard token, a physical keyfob, which members use to identify themselves. This method has not caught on with members, according to Shaw. The third option is also a soft Cybercode token, in which the user downloads a Verisign credential app onto a mobile device.

“It’s a very strong authentication methodology. It’s two-factor, out-of-band authentication,” Shaw says.

Peace of mind breeds customer loyalty

Beyond simply limiting or avoiding fraud losses, USAA Saving Bank views its efforts both as a partnership with its members, and as a way to instill loyalty.

“We take it very seriously,” says Shaw. “It’s not about ROI. It’s about trust and confidence with our members.”

Shaw continues: “I always like to stress that it’s a shared responsibility with our membership. We offer them the tools to protect themselves. If they do their part they will be safe and secure when they transact with us.”.

John Ginovsky

John Ginovsky is a contributing editor of Banking Exchange and editor of the publication’s Tech Exchange e-newsletter. For more than two decades he’s written about the commercial banking industry, specializing in its technological side and how it relates to the actual business of banking. In addition to his weekly blogs—"Making Sense of It All"—he contributes fresh, original stories to each Tech Exchange issue based on personal interviews or exclusive contributed pieces. He previously was senior editor for Community Banker magazine (which merged into ABA Banking Journal) and for ABA Banking Journal and was managing editor and staff reporter for ABA’s Bankers News. Email him at [email protected]

back to top


About Us

Connect With Us


Webinar: Real-Time Payments in the U.S. Market

Time/Date: June 16, 2021 2:00 p.m. ET

The U.S. has come a long way in its journey to real-time payments, with TCH and Zelle in market and FedNow just around the corner. COVID-19 has accelerated that demand to move to real-time. Yet many financial institutions remain unconvinced of the need to move, with less than 3% of financial institutions signed up today.

In this Banking Exchange hosted webinar Celent’s Gareth Lodge, Senior Analyst, Global Payments, and Alacriti’s Mark Ranta, Payments Practice Lead, discuss the findings in the Celent research report, Real-Time Payments in the US Market: Speeding Up or Slowing Down? A Call to Arms.


This webinar is brought to you by:
Alacriti logo