As regulators increase scrutiny of financial firms’ cybersecurity practices and firms look for ways to enhance their clients’ experience, some advisors might be considering introducing biometric logins for their clients.
There are advantages and disadvantages to that strategy.
One advantage is that clients are already familiar with biometrics to a certain degree. Biometric credentials are already used widely in the consumer market, according to David Meyer, vice president of product for OneLogin. OneLogin lets firms set up single passwords for users to log in to their workplace apps, Meyer said.
The most notable example of biometrics in the consumer space is Apple’s Touch ID, which allows users to sign into their iPad or iPhone with their thumbprint.
“In the enterprise world there’s been slower adoption for a variety of reasons,” Meyer told ThinkAdvisor. Generally, biometrics are “supplementary factors” rather than primary means of access.
“Passwords have all manner of problems associated with them,” Meyer said. Clients forget them or write them down or make them too simple or they use the same password that they use for their email, Netflix and Amazon accounts.
Two-factor authentication, where the client receives a code by email or text that they enter to continue logging in to their account, helps bypass some of those password problems. The U.S. National Institute for Standards and Technology, which is a nonregulatory agency that develops recommended standards for companies in various fields, released updated guidance Wednesday that dissuades companies from using text messages in two-factor authentication, as “SMS messages may be intercepted or redirected.”
Biometrics introduce another level of security to client accounts. “The higher the sensitivity” of the information that needs to be protected, “the more factors you bring to play,” Meyer said. A password is something you remember, while biometric information is something you are and a particular device is something you have, he noted. All of these factors together create a more secure login than restricting access to certain devices or requiring a password only.
Depending on the type of information being accessed, or who’s accessing it, firms may require additional factors before the user can log in to the system. For example, Meyer said, “Employees tend to use factors to get access to their own data, but HR administrators tend to have to use multiple factors to access your salary or your Social Security number.”
Clearly, firms have more control over the equipment their employees use than their clients, Meyer noted, but as native applications like Touch ID and its Android equivalent, Android M, become more widespread, firms’ ability to rely on them increases. More sophisticated biometric tools are another story. “If you need to do facial recognition, the software varies widely across different platforms. If you need to do voice recognition, you need to make sure that what you’re doing will work on all the different platforms that your customers are coming to you on,” Meyer said.
For example, Amazon filed a patent in March that would allow consumers to use the camera on their device to check out, rather than a password. The consumer would be asked to wink or nod or perform some other action to prove that he or she is a live person.
“I guarantee they won’t ever make that the only way you can check out. Some people might have a device without a face-facing camera,” he said, and bad lighting and background noise make facial and voice recognition less reliable.
Biometric credentials aren’t going to replace traditional authentication methods because not all users have the same tools – or even desire – to use them effectively, but “it is being used for a better user experience in the cases where it works,” Meyer said. “My computer recognized my face and logged me in. If it can’t recognize my face I have to put in other factors like a password and a one-time token.”
Meyer said there’s a “wide-open field of law and regulation that will evolve around” this kind of technology, and he urged firms to be cautious about the kind of information they’re storing. “Unless you’re a security expert, you should not be storing secrets of your employees, even passwords.”
He recommended that if firms decide to implement biometric credentials, they work with a “third party who’s an expert in security … because they’ll be able to adapt to the evolving regulatory framework.”
Security training is critical for any client-facing employee in general, especially regarding phishing, Meyer said. “Initially phishing attacks were pretty obvious. Now they’re getting very elaborate, and they’re often phishing for small amounts of information they can use for” other social engineering attacks in the future, he warned.
That warning doesn’t just pertain to firms that use biometrics in their security practices. “Understanding modern exploits that people use to get access to protected data will be more important with the rise of biometric factors because of the broader consequence of them being compromised,” Meyer said.
— Read What Regulators Are Looking for in Your Firm’s Cybersecurity on ThinkAdvisor.