Blink and you’re in, at USAA Savings

As banking grows increasingly mobile, customers also increasingly demand that mobile apps be both incredibly convenient and incredibly secure. How does a bank do both at the same time?

With regulatory mandates for multifactor authentication, banks have resorted to requiring PINs, passwords, questions about mother’s maiden name, and so forth. On top of this, as customers are transferred from department to department, they often have to re-input the same information. Customers, accustomed to much more elegant treatment on other retail or social media sites, grow impatient with what they perceive as outdated technology.

One solution that’s starting to gain traction is the use of biometric authentication in several different formats—fingerprints, facial recognition, and voice recognition. USAA Savings Bank has embraced all three of these biometric options in a big way. The $1.7 billion-assets institution has 11 million members scattered all over the world. Most reach the bank via digital and mobile means.

Of the total number, says the bank, 6 million have downloaded the mobile app, and 4 million use it on a monthly basis. Of the app users who have enrolled in biometric authentication—about 1.3 million so far—95% use the fingerprint biometric, while voice and facial recognition users are in that last 5%.

Meanwhile, the bank aggressively employs multiple layers of security and authentication to assure robust fraud protection for protection of members and the bank.

“You look at fraud loss avoidance,” says Tom Shaw, vice-president, Enterprise Financial Crimes Management, USAA, in an interview with Banking Exchange. “When you lump in biometrics, texting, Cybercode (an independent authenticator), it’s all two-factor authentication at the end of the day. When we have a member who is on two-factor authentication, the likelihood that they will have an account takeover is almost zero.”

A touching experience

Fingerprint identification, perhaps, is the most familiar form of biometric authentication, enabled most famously by Apple’s iPhone and iPad and their Touch ID feature. Instead of tapping in the usual four-digit code to unlock the device, the owner scans his or her selected fingerprint on a reader integral to the device. Fingerprint identification has been included on newer versions of Android devices as well.

When asked how the bank overcomes the apparent conundrum of making bank account access both easy and secure through biometrics, Shaw says: “Actually it’s easier once you enroll. For example, on your mobile phone, today, if you do not take advantage of fingerprint identification … you have to put in your access ID, password, PIN. That is laborious. It’s just a lot easier to touch your phone and you’re in.”

In fact, in the past year, many banks, big and not so big, have enabled Touch ID on their apps. A quick Google search comes up with Bank of America, Chase, Citibank, PNC, Fifth Third, and First National Bank of Granbury, Texas, to name a few.

Fingerprint authentication first became available generally to USAA Savings Bank members in 2014. The other two methodologies came on line in early 2015.

Facial recognition generally is the second most favored method. To register, users log on to the mobile app and select security options. Once there, if facial feature is desired, the customer is prompted to activate the phone’s forward-looking camera feature and hold it in front of his or her face. The program then takes a picture of the face and registers it in a database.

To facially log in, the customer goes to the login app, holds the phone up—and then the app tells the person to blink. The registered photo, plus the timed blink, prevents some criminal from trying to log in with a static picture of the real customer.

Voice recognition generally involves the member making a recording of a stock sentence that goes into the database. Then, the customer simply repeats that phrase into the app, where it is compared and authenticated.

USAA Savings Bank is a pioneer with face and voice biometrics in the U.S., but banks elsewhere have at least experimented with it. In London, HSBC, for example, has used facial recognition devices to identify employees allowed to go into its data centers. Upstart digital-only Atom Bank, also based in the U.K., intends to use facial and voice biometrics once it opens for business, expected soon.

Beyond biometrics at USAA

Biometrics are just one factor of authentication, which are to be used in conjunction with other layers of security. USAA Savings Bank has employed Cybercode since 2011 as a way to provide out-of-band authentication.

Shaw explains that Cybercode comes in three flavors.

The most popular is a so-called soft token that involves receiving a text message with a randomly generated code. The user has ten minutes to input into the banking app.

Another is a hard token, a physical keyfob, which members use to identify themselves. This method has not caught on with members, according to Shaw. The third option is also a soft Cybercode token, in which the user downloads a Verisign credential app onto a mobile device.

“It’s a very strong authentication methodology. It’s two-factor, out-of-band authentication,” Shaw says.

Peace of mind breeds customer loyalty

Beyond simply limiting or avoiding fraud losses, USAA Saving Bank views its efforts both as a partnership with its members, and as a way to instill loyalty.

“We take it very seriously,” says Shaw. “It’s not about ROI. It’s about trust and confidence with our members.”

Shaw continues: “I always like to stress that it’s a shared responsibility with our membership. We offer them the tools to protect themselves. If they do their part they will be safe and secure when they transact with us.”.