Lloyds Bank is exploring a way to use Near Field Communication to authenticate shoppers, but in a twist, it is using the mobile phones to receive rather than send the NFC signal.
In most banks' uses of NFC, a phone or contactless card sends the signal to a point of sale terminal. But NFC enables two-way communication, so there's no technological reason preventing the phone itself from receiving a signal and using it for authentication. In the example of Lloyds, the bank customer would tap a contactless card against the phone to authenticate a mobile purchase.
"It's a very secure system and very easy to use," said Alon Zadka, a senior innovation lead at Lloyds.
The initial trial, which ended in June, involved 125 Lloyds customers and allowed them to use their contactless cards to register their mobile banking app. Eventually the bank plans to involve this process in authenticating purchases.
The bank is calling this "tap to bank," and it replaced the normal authentication method of having an automated system place a phone call to the user.
The bank also recently completed a trial via its Halifax brand that used a different kind of mobile device for authentication: a wearable band that read a customer's heartbeat.
"It's more secure because it cannot be replicated," said bank spokesperson Chris Tuttlebee. "Fingerprints can be put onto surfaces and can be taken and read. What we monitored is not quite the heartbeart as much as the heartbeat pattern" which, in theory, stays the same whether the customer has been standing still or just ran a half-marathon, he said.
The end goal of both technology trials is "to strip away passwords," Tuttlebee said.
As part of this process, Lloyds has begun requesting password fragments instead of a full password. The bank app asks for a three-character authenticator that changes every time; if the user's password is "swordfish" and the bank asks for the fourth, seventh and final character, the user would type "rih." On a later session, the bank would ask for a different set of characters.
The problems associated with passwords are as old as security itself. Consumers tend to opt for highly insecure passwords, and when software forces them to choose a more secure one, they may write it down or come up with a trivial change that makes the password no harder to guess. The goal of Lloyds' tests is to find a new method of authentication that is easy for the consumer to understand.
Zadka said another element that makes Lloyds' trials different from those of other large global banksLloyds claims more than 10 million active online banking users, half of whom actively use the bank's mobile app and generated one billion logins during the last 12 monthsis its internal streamlining. For example, Zadka said, the entire mobile app trial process (including the development of the app along with various design changes) was completed and approved in eight weeks.
That design, by the way, was changed several times during the trial to address customer confusion about the "tap to bank" authentication process. The bank changed the design of the app to include animations showing exactly how the process is supposed to work. The animation itself went through some revisions, such as adding a customer's hand to show exactly what was expected of the user.
The bank's app also enables person-to-person payments to consumers listed in the phone's contacts.