As applications like Uber and Venmo are eliminating the need to physically carry cash or a credit card, our smartphones are quickly becoming the go to replacement for our wallets.
To meet consumers where they are (on their phones), financial institutions like Chase and Wells Fargo will widely introduce card-free ATM options later this year in the hopes of delivering a more convenient consumer banking experience. But as with any new technology, mobile ATM access raises a new set of security challenges.
Since most consumers today carry their phones like a fifth appendage, using a phone as a security token hits that sweet spot between protection and convenience. But cell phones represent only one means of authentication (a possession factor) and, unfortunately, one security measure is simply not enough to keep hackers at bay in today’s escalating threat environment.
This lesson was made clear in January when one Chase customer had $2,900 in cash withdrawn from her account through the bank’s new cardless system while vacationing in Cancun. Because Chase didn’t even require that the credentialed phone use a PIN, the thief, armed with just the customer’s account information and password, was able to withdraw a large sum of cash. Granted, with any roll out of new technology there will be some bumps and clearly, this one example points to the necessity of including additional authentication factors.
That’s perhaps why multifactor authentication (MFA), the practice of using several identification measures throughout the course of a user session, has fast become one of the hottest topics among security practitioners.
Using the mobile device as an authentication platform, additional authentication factors, be they biometrics (an inherent factor) or a PIN (a knowledge factor), can be layered and integrated into the authentication experience. They can also be modified as the risk factors change, like (for instance) I’m now withdrawing money in Cancun. This ensures that card-free transactions can intelligently leverage the risk signals coming from the mobile device.
Unlike traditional bank cards, which can be lost or skimmed, when a uniquely fingerprinted mobile phone (e.g., a first factor) is coupled with additional authentication factors, the identification process becomes more secure for both the consumer and the financial institution.
Consumers are already growing familiar with using multiple means of authentication, like one-time passwords (OTP) or fingerprint scans, and appear to be ready for a card-free, passwordless banking experience. In fact, according to a recent consumer survey of online banking consumers conducted by Aite Group, 85% of banking customers across generations (millennials, Generation X, Baby Boomers and seniors) noted that they were eager to replace passwords with more modern authentication methods.
Fortunately, modern smartphones coupled with modern mobile apps can together support a range of authentication factors, making them the ideal platform for MFA, affording consumers more choice than ever in their online security experience.
Once banks do deploy the appropriate safeguards and authentication methods, they will likely begin to incentivize customers to use their phones over bank cards at ATM’s, as they provide a more layered security approach at a lower price point (not to mention the high cost of replacing compromised bank cards).
Conversely, as native bank apps become a central touch point between financial institutions and an increasing number of customers, using the apps themselves as an authentication gateway promises to make for a stickier user experience and will provide banks with more opportunities to promote and market other services. Many banks call this “omnichannel authentication”: one way to identify yourself, whether you’re on your mobile app, in front of an ATM, or even standing at the Teller’s counter.
This mobile-focused access functionality is not limited to banks and cardless ATMs. A number of pioneers in different segments are looking at the same combination of ubiquitous mobile, user-friendly multifactor authentication, and reliable NFC, the near-field communications protocol that makes these interactions work.
Hotel chains like Starwood are rolling out mobile app functions that provide easy keyless access to your hotel room. Vehicle manufacturers like Volvo are delivering keyless driving experiences that leverage your smart phone. And the August Smart lock can open your home doors without a key, or allow your AirBnB guests to do the same, then erase their access when their stay is over.
It’s clear, though, that banking will lead the charge in this cardless, keyless world. JPMC, B of A and Wells Fargo are leading already testing their new cardless ATM systems. In the process, they’re signaling to their competition that a whole new set of user-friendly, highly secure, differentiating features are headed their way, and fast.