Future-proofing the banking process with biometric authentication

As global internet usage continues to rise exponentially, unfortunately the amount of cyber attacks rises with it. In 2019, $17,700 was lost each minute from phishing scams. In response, businesses are required to tighten up their cybersecurity and protect customer assets as well as the brands themselves, both of which, BBVA is continuously looking to safeguard.

As BBVA chief technology security officer, Juan Francisco Losa has global responsibility for the bank. His focus is around assessing the technologies needed to protect BBVA assets from a cybersecurity standpoint, including anything related to authentication or identity.

Since its inception, online banking has traditionally revolved around two-factor authentication. A username and password acting as a first factor – which is often susceptible to phishing attacks – for access to accounts, balances and products, with a second factor such as a one-time password to deter fraudsters then required to move money. “It’s a real deal if someone accesses an account, but it’s a much bigger deal when someone is transferring funds,” says Losa. “The second factor approach was good for balancing user experience and risk for transactions and for a time was state of the art in the industry. But biometrics is a new step forward – an enhancement of both the user experience and the security capabilities.”

At the start of this year, BBVA partnered with Nok Nok Labs, an authentication specialist that’s a founding member of the FIDO Alliance (Fast Identity Online). “FIDO is a consortium founded by really big players in the industry like Google, Samsung, Apple, all trying to understand and make a new standard around internet and online authentication,” says Losa.

BBVA has monitored the FIDO Alliance for years, Losa explains, wanting to ensure its progress and mission were consistent. Recognising that FIDO has become the standard used by manufacturers and internet giants across web browsers and devices, it was time to make it the standard authentication model for BBVA, replacing its homegrown biometric offering that had been in place for three years. “We selected Nok Nok because they’ve been there since the beginning,” says Losa. “They were open to not only becoming a provider of ours but also to share knowledge around authentication. Additionally, we’re a good partner for them since we have a good customer base and are moving forward in a digital world.”

Moving forward with digital advances typically results in challenges, however. The username and password are concepts that everyone is familiar with, as they’re associated with any use of a computer or online account, while biometrics has been part of a changing landscape. “The point is to try and mimic the usual user experience when somebody is doing something indirect,” says Losa. “The evolution of smartphones introduced things like face ID. Previously, it wasn’t consumed by a mass market in the world, but it started to become commodity-sized and now biometrics, such as a face or finger to unlock the phone, feels very natural. We believed it was the appropriate moment to provide that experience to our banking customers since they’re already using that technology for their personal device.”

Behavioural biometrics

Behavioural authentication is a supplement to biometrics. It’s an area BBVA has tapped into through proof-of-concept projects, one of which ran in Mexico with behavioural AI specialist neoEYED to track account impersonations across mobile devices. The startup’s technology effectively analyses and collects data to determine the way users operate their devices, such as how their phones are held or how the screen is touched, to detect whether fraudulent activity is taking place. Commenting on the solution, neoEYED CEO Alessio Mauro says: “Behavioural recognition is not a replacement of biometrics. Instead, it is a mandatory supplement to any biometric solution because it increases the reliability of the recognition, allows the detection of frauds even after the login has been done and helps to contrast newly sophisticated frauds based on DeepFake technologies.”

Reinforcing the security evolution, Mauro reasons that, with possession of passwords, hackers can do pretty much anything. “I can steal your data, I can steal your money, I can post on your behalf,” cautions Mauro. “If I have your password, I can be you, the password is you. We believe the transition from password to biometrics is required if we want to drastically reduce the size of frauds in the digital space. Passwords are a liability for enterprises, and they lose millions of dollars every year just to protect, recover and enforce them.” Passwords may still be commonplace, but biometrics are rising in prominence, especially in the mobile world, as consumers are starting to feel safer and stress-free without struggling to remember different passwords across various accounts.

BBVA has also worked alongside TypingDNA, a behavioural biometrics startup that has an ability to detect the way people type on their keyboards through AI. “Typing biometrics expands the limited biometric authentication options, not requiring specialised sensors or advanced hardware,” says Cristian Tamas, co-founder and CMO at TypingDNA. “It works with existing keyboards, both physical and virtual. Compared to knowledge and possession-based online security tools, typing biometrics authentication is verifying the owner based on something they actually do. An SMS one-time password or a password can be easily shared with other people.”

During its collaboration with BBVA on a proof-of-concept in Mexico, TypingDNA’s technology was introduced to mobile apps to support identification of users. “The proof-of-concept was very successful as TypingDNA, through its unprecedented accuracy, managed to flag suspicious behaviour in a very effective manner,” says Tamas. “Authentication should not be an obstacle in the user’s journey, and our typing biometrics solution allows for seamless validation of a user’s identity.”

For BBVA, mobile is at the heart of its operations from a business standpoint. Increasingly it’s where customers are interacting with the bank and their accounts, which is why biometrics is such a major area for BBVA. “We have a device and mobile-centric strategy and believe everything around authentication processes need to have that in focus,” says Losa. “The FIDO standard provides those capabilities in the sense of using them in a seamless and secure way, in the same way you’re using your face to unlock your phone, you use your face to authenticate with the bank and make transactions.”

With a global outlook, BBVA recognises that this shift and standard are taking place worldwide, which is why the bank is so keen to embrace the guideline at this time. “Cybersecurity always has challenges,” says Losa. “As an industry we started with username and password and now we have biometrics. Inevitably there will be attacks and threats around biometrics too, which will need to be addressed in the future, so as an industry we just need to be vigilant and see how those threats evolve. Our strategy here at BBVA is always to have different partners in order to ensure strong authentication and a strong service for clients.”