Touch-based authentication is still very touch-and-go.
Despite the enormous hype and investment surrounding biometric technology, U.S. Bank's Elavon predicts that fingerprint, "selfie" and voice-based authentication will not render passwords obsolete anytime soon.
"The interest in biometrics has gone up and down several times in the past few years," said Brian Mahony, Elavon's chief strategy officer, adding he doesn't see passwords going away anytime soon. "I saw biometrics solutions seven years ago and it seemed like the market would be ready for adoption, but consumers weren't excited about it. Unless there is a broader understanding of what biometrics can do, the business case will be slower to take off."
During a recent interview, Mahony identified myriad new security options that are attracting greater investment from financial institutions and other payment companies. Those that are invisible to consumers, such as end-to-end encryption and expanded PCI rules, tend to fare better than those that require a change in behavior—such as EMV and biometrics.
What's lacking is a catalyst that finally compels retailers and consumers to give up prevailing authentication methods such as passwords in a substantial way in favor of other methods. Apple's Touch ID might be the most visible consumer biometric authentication option available, but rather than accept it as an alternative to passcode authentication, Apple actually required consumers to use stronger passcodes to guard their phones as of last year.
Biometrics is on Elavon's list of hot security technologies that will see ample deployment over the next year, along with EMV, tokenization, geolocation and social network-driven customer behavioral analytics. And biometric deployments should surge in the next decade, according to Tractica market research.
But all of this won't get rid of passwords or substantially reduce their use.
"Unfortunately passwords will be with us in the online channel for a while…and right now the password counts as one of the 'layers' of authentication from an FFIEC compliance perspective, albeit a useless layer," said Julie Conroy, research director at Aite Group.
The fact that this is even a discussion represents at least a short-term failure. As long as five years ago, financial technology companies were reporting major investments in replacing usernames and passwords. And it's been about two years since Apple Pay was supposed to revolutionize how people pay at stores and in mobile apps.
"Biometrics won't take off unless there is a reason for people to change their habits and that reason is not there yet," Mahony said. "Nobody knows what will change that. You see a lot of solutions out there, different players offering different things, such as the use of the blood flow in your wrist or using selfies…but there's not obvious answer for what will replace the password."
So far, Apple Pay's user adoption has disappointed, and people are still changing their passwords every three months. While acknowledging the slow pace of Apple Pay (Elavon supports Apple Pay and helped introduce the service in Canada), Mahony said slow uptake of Near Field Communication contactless payments suffers from some of the same challenges holding back password alternatives—namely the lack of a reason for consumers to change their habits.
He also said Elavon was developing new security technology that requires less change from users, such as expanding connections between the user's profile and the location of a purchase, and tweaking fraud algorithms to better spot suspicious activity.
"We are always working on reducing friction while at the same time managing risks," Mahony said.
There are some factors that could change consumer habits and create more appetite for password alternatives, Conroy said.
"I think that as the mobile channel picks up steam, that provides the opportunity and motivation to help consumers change their habits," she said, noting USAA, a financial institution that serves primarily military personnel and their families, has attracted one million of its members to use biometric authentication. "While passwords are ineffective in any channel, they are quite cumbersome from a user experience perspective on mobile. I think that we'll continue to see various forms of biometrics as an authenticator gain traction in mobile."