Samaha Associates

e-Business and Technology Consulting Services for Financial Institutions

Quality Service With Results

1st United Services was in the midst of a credit and debit card processor conversion in 2012. The conversion proved to be quite complex, and we were beginning to have concerns about its success. Samaha Associates assisted in addressing our major concerns, and also helped us renegotiate pricing. I would highly recommend talking to Samaha Associates prior to entering any major conversions or contract negotiations.

Steve Stone, Chief Financial Officer
1st United Services Credit Union, Pleasanton, CA

About Us

May 2017: Samaha Associates' CEO Sabeh Samaha Featured in CUES Article: Bypassing Passwords

Bypassing Passwords

Biometrics are already successful on a small scale, and the potential is thrilling. But the technology is evolving, the cost could be daunting, and success could create new problems.

By Richard H. Gamble

Biometrics are coming. The first applications are already in place and working well. Anything that promises improved security and greater convenience is a cause for celebration. A few corks are popping, but most credit union leaders are keeping the champagne on ice until some big questions are answered.

A revolution in data security based on biometric authentication is close, probably sweeping in by 2020, predicts Gene Fredriksen, VP/chief information security officer at CUES Supplier member PSCU (www.pscu.com), St. Petersburg, Fla., and executive director/CEO of the National Credit Union Information Sharing & Analysis Organization (www.ncuisao.org), headquartered in the Kennedy Space Center at Cape Canaveral, Fla.

The technology is ready, thanks to the widespread adoption of smartphones with fingerprint readers, excellent camera function and adequate microphones. Many consumers are ready, led by millennials comfortable pushing for the convenience biometrics can bring. And regulators and larger financial institutions are ready for an added security tool.

What’s missing are standards, and bringing standards is Fredriksen’s mission. “We’ve been trying to replace password authentication forever, and finally the elements of something better are coming together,” he says. “We’re still missing the standard toolsets and packaged services.” For many CUs, that will mean waiting for their vendors to offer standardized, packaged solutions, he adds.

Last year, letting members access their mobile banking with a fingerprint was a “nice to have” feature, reports Eric Goscicki, manager/mobile strategies at PSCU. Next year, members will consider it a “must have,” he predicts.

The popularity of fingerprint identification, as well as the better security it provides, spells eventual doom for user names and passwords, he suggests. “The old school credentials are fading away,” he says. Because the mobile device is identified and matched to the registered user, as well as the fingerprint, it’s more secure than key-stroked authentication, he adds.

Biometrics Lite
Apple’s Touch ID and parallel Android technology constitute a wave that may or may not foreshadow a tsunami. CUs today are living in the era of “biometrics lite,” driven largely by the decision of Apple and Google to require a thumbprint to use Apple Pay and AndroidPay, reports consultant Richard Crone, CEO of Crone Consulting (www.crone consulting.com), San Carlos, Calif.

To support that security, Apple and Samsung (Google’s partner) have built phones that can capture thumbprints, and they have built operating systems that can do the matching. Most vendors of CU mobile banking systems support fingerprint authentication, and most CUs offer it, Crone reports. It typically works well unless the needed finger is wet or dirty.

Now a few financial institutions are heading into face and voice recognition, reports Conor White, president for the Americas Group at Daon Inc. (www.daon.com), Reston, Va., an international biometrics and identity assurance software company. Using Daon
technology, customers of USAA Bank can now choose finger, face or voice authentication,
he says.

While Fredricksen says adoption of biometrics among small banks and CUs is pretty spotty, some are in the game. For
example, $5.9 billion Mountain America Credit Union (www.macu.com) in W. Jordan, Utah, gives members two biometric options for opening the CU’s mobile banking app: fingerprint and retinal scan. According to CUES member Kelly Albiston, SVP/digital
banking, the fingerprint service is essentially free to the CU because it’s built into members’ phones; it pays EyeVerify (www.
eyeverify.com) a fee per member for the retinal scan.

Both are delivered through the CU’s mobile banking provider, Access Softek (www.accesssoftek.com). Password is still the
most popular way to enter, then fingerprint and then eye, he says. Those choices are working well, but Mountain America CU is considering adding facial and voice recognition. Delivery will likely flow through Access Softek, which is likely to integrate the services, not build them, he suggests.

Whatever the CU buys will have to be affordable enough that members won’t be asked to pay extra to use
them, he adds. Enthusiasm for biometrics runs high at $1.1 billion Commonwealth Credit Union (www.ccuky.org), Frankfort, Ky., where

CUES member Raffo Wimsett is a mobile communications enthusiast. You often find the 31-year-old campus relations partner bicycling to meet members in classrooms or food courts to help them open accounts, transfer money and apply for loans remotely instead of spending time in a branch.

“I use my thumb first to unlock my phone,” he says. “Then I use it again to open our mobile banking app. I may use it a third

time to carry out an activity.” If mobile is good, biometric authentication makes it even better, Wimsett insists. For him and Commonwealth CU members, that means pressing a thumb on a smartphone reader is a faster, easier alternative toentering a password.

But when Wimsett needs to access member information from his pedal-powered branch, his thumbprint won’t work. “I have to use the virtual private network through my laptop and a secured login and password that has been generated by our data team, and that only works if the WiFi connection is secured,” he explains. “Security still trumps convenience.”

First Tech Credit Union (www.firsttechfed.com), with headquarters in Beaverton, Ore., and Mountain View, Calif., has the size (almost $10 billion in assets), culture and acumen to size up biometric opportunities. The CU is coming off a three-month pilot with CUES Supplier member Mastercard (www.mastercard.com), Purchase, N.Y., in which 500 First Tech CU employees made payments on Mastercard’s “selfie pay” program, using either fingerprint or facial recognition.

The verdict, according to Brian Ziff-Levine, director of cards and payments? It works. “We’re putting the finishing touches on that program and expect to launch it for members in the first half of 2017,” he reports. Employees were enthusiastic, and
First Tech CU’s tech-savvy members are asking for it, he adds.

What’s holding back biometrics, according to Ziff-Levine, is not reliability or convenience but the limited number of devices equipped to use it. “It’s still a fragmented market,” he says. “Only newer models of the iPhone and Android have Touch ID capability. Once the handsets are up to speed, biometrics will really take off.” He predicts a surge in the next four to eight months.

Cost Concerns

To catch on, biometrics need to be secure, reliable, convenient and relatively cheap, explains Bob Bender, chief technology officer at $2 billion Founders Federal Credit Union (www.foundersfcu.com) in Lancaster, S.C. “I don’t think we can consider passing costs on to members,” he says, “and it can’t put a big financial burden on the financial institution.” So his CU is letting properly equipped members log onto its mobile banking app with a fingerprint, but otherwise taking a wait-and-see position.

Paying for biometric authentication may indeed be a stumbling block. “Samsung has an advanced voice recognition product,” notes Robb Gaynor, chief product officer and co-founder of Malauzai Software (www. malauzai.com), Austin, Texas, a mobile banking provider, “but it’s more complex and costly to implement. We’ve looked at it, but we don’t offer it because we don’t have a client that is willing to pay for it.”

At this point, CUES Supplier member Fiserv (www.fiserv.com), Brookfield, Wis., is looking at 2018 as a time to move forward. “We won’t build a solution from scratch,” says Scott Hess, VP/consulting and innovation, “and we don’t want to invest in something that the mobile providers are going to build into their systems.”

For now, Fiserv’s mobile banking platform interfaces with the iPhone and Android operating systems for Touch ID. “We know
they like it because they complain if we force them to use a password every 20th time just as a control mechanism,” he notes.

Going beyond Touch ID hits obstacles. When Fiserv tested other biometrics in 2009, it discovered that voice worked pretty well if the person didn’t have a cold, Hess reports. Eye scans were another story. Presenting their eyes creeped out users, and the matching wasn’t reliable without a military- grade server.

Even fingerprint authentication has limitations. If an iPhone user registers fingerprints of family members, Apple will confirm a match but not which person’s fingerprint was applied, Hess points out. There were press reports in January that a 6-year-old used her sleeping mother’s fingerprint to go on an iPhone shopping spree. While members like the convenience of dabbing a finger, the convenience is overhyped, Gaynor suggests. “People mostly use our mobile banking app to check balances and payment history, and they already
can do that without logging in if they use a popular feature like autobalance,” he says.

Two Visions

Ultimately authentication will likely be a package of factors, Daon’s White predicts. “You could have a person read a prescribed
phrase while the camera records his face and the microphone his voice,” he explains. “The right phrase would be a factor. You
could authenticate that it was the user’s face and voice. You could authenticate the device he or she was using, ... that user’s tie
to that device and ... the location ....”

Multiple biometric authentication factors build security; they can also build a delightful member experience, especially for multitasking millennials, White notes. “The trend is to give users a choice,” he says. Another key consideration is how much security is needed. A fingerprint may be fine to turn on a smartphone, Fredriksen explains.

A million-dollar payment may require a fuller spectrum of identification. “The time is coming soon when a combination—maybe a solution that marries a thumbprint with voice recognition and keystroke characteristics—will cause the password to die,” Fredricksen asserts. “That will be a great day.”

There’s also a darker vision, notes Sabeh Samaha, head of Samaha & Associates Inc. (www.ssamaha.com), Chino Hills, Calif.
“We need to think carefully about what we’re about to do,” he says. “If we create a digital record of the full spectrum of an individual’s biometric markers, we raise the danger of identity theft to a frightening new level. We’re digitizing and storing people’s eyes, fingers, voices, faces and so forth, based on our technological ability... and the short-term rewards of better security and greater convenience.
We need to think seriously about the long-term damage this could cause.”

PO Box 1828, Chino Hills, CA 91709
Toll Free: (855) 772-6242
Phone: (909) 597-2020
Fax: (909) 494-5538