As regulators increase scrutiny of financial firms’ cybersecurity practices and firms look for ways to enhance their clients’ experience, some advisors might be considering introducing biometric logins for their clients.
There are advantages and disadvantages to that strategy.
One advantage is that clients are already familiar with biometrics to a certain degree. Biometric credentials are already used widely in the consumer market, according to David Meyer, vice president of product for OneLogin. OneLogin lets firms set up single passwords for users to log in to their workplace apps, Meyer said.
The most notable example of biometrics in the consumer space is Apple’s Touch ID, which allows users to sign into their iPad or iPhone with their thumbprint.
“In the enterprise world there’s been slower adoption for a variety of reasons,” Meyer told ThinkAdvisor. Generally, biometrics are “supplementary factors” rather than primary means of access.
“Passwords have all manner of problems associated with them,” Meyer said. Clients forget them or write them down or make them too simple or they use the same password that they use for their email, Netflix and Amazon accounts.
Two-factor authentication, where the client receives a code by email or text that they enter to continue logging in to their account, helps bypass some of those password problems. The U.S. National Institute for Standards and Technology, which is a nonregulatory agency that develops recommended standards for companies in various fields, released updated guidance Wednesday that dissuades companies from using text messages in two-factor authentication, as “SMS messages may be intercepted or redirected.”
Biometrics introduce another level of security to client accounts. “The higher the sensitivity” of the information that needs to be protected, “the more factors you bring to play,” Meyer said. A password is something you remember, while biometric information is something you are and a particular device is something you have, he noted. All of these factors together create a more secure login than restricting access to certain devices or requiring a password only.
Depending on the type of information being accessed, or who’s accessing it, firms may require additional factors before the user can log in to the system. For example, Meyer said, “Employees tend to use factors to get access to their own data, but HR administrators tend to have to use multiple factors to access your salary or your Social Security number.”
Clearly, firms have more control over the equipment their employees use than their clients, Meyer noted, but as native applications like Touch ID and its Android equivalent, Android M, become more widespread, firms’ ability to rely on them increases. More sophisticated biometric tools are another story. “If you need to do facial recognition, the software varies widely across different platforms. If you need to do voice recognition, you need to make sure that what you’re doing will work on all the different platforms that your customers are coming to you on,” Meyer said.