Cutting Edge: Wells Fargo looks to eye-scan security
Eye scanners have long been the stuff of sci-fi and action flicks, safeguarding everything from classified data to secret lairs.
Soon, though, they’ll be used in the real world to protect something more mundane: your bank account. Or, more precisely, your company’s much larger one.
Starting this summer, San Francisco banking giant Wells Fargo & Co. will let corporate clients sign in to the bank’s commercial banking app using either an eye scan or a face- and voice-recognition system.
It’s the latest step in a broader push by banks and other institutions to do away with passwords, PINs and other information that can be stolen or forgotten, and replace them with biometrics — unique physical characteristics that, for now at least, are difficult to forge.
“User names and passwords are basically 15 years old. They’re at the end of their useful life,” said Secil Watson, who oversees online and mobile applications for Wells Fargo commercial banking. “Something needs to take their place.”
Fingerprint identification is becoming commonplace thanks to the addition of scanners on phones from Apple, Samsung and others. Big banks, including Bank of America and JPMorgan Chase, already let non-business customers sign into their mobile banking apps with their fingerprints, a feature that Wells Fargo will roll out soon.
But other biometric markers — such as the sound of your voice, the shape of your face and the appearance of your eyes — are considered more secure and thus preferable for multimillion-dollar accounts.
That’s because fingerprint-authentication technology built into mobile phones allows a user to authorize more than one fingerprint for that phone, such as a family member’s. That’s not possible with the other biometric markers.
The most sophisticated eye scanners, such as those used by government security agencies, peer into the eye to look at the blood vessels on the retina. The system Wells Fargo will roll out in a few months uses a smartphone’s front-facing camera to look at the pattern of blood vessels in the whites of the eyes, a pattern that doesn’t change and is unique like a fingerprint.
Initially conceived by a University of Missouri professor as a military tool, the system was developed by EyeVerify, a Kansas City, Mo., start-up that Wells Fargo invested in two years ago. Its Eyeprint ID system is already used by a few smaller financial institutions, including a Utah credit union and a subsidiary of Toronto’s Scotiabank.
To sign in, a customer opens the app and selects the eye-scan option, then lines up the phone’s camera so the eyes are centered in a box on the screen. The customer is then directed to look to the side, exposing the blood vessels on one side of the eye.
The whole process takes just a few seconds — longer than it needs to take. “An early prototype was faster, but customers thought it was too fast and that nothing was happening,” Watson said.
To use the bank’s alternative face- and voice-recognition system, developed by two other firms, customers line up their face in a box on their phone’s screen, then read a series of numbers that pops up on the screen.
The two biometric systems replace a cumbersome process now required of corporate clients who log into the Wells Fargo app. They not only need a user name, password and corporate ID number, but a code from a security token — a device that spits out a six- or eight-digit number every few minutes that is synced with a bank server.
David Miller, the treasurer of Hunt Cos., a real estate investment firm and Wells Fargo customer, carries around more than a dozen of the keychain-size tokens — at least one for each bank his company works with.
“When I go on vacation, I take them with me,” he said. “I don’t feel comfortable not having them on me.”
Last year, Miller was one of a handful of Wells Fargo clients who tried out the biometric sign-in. One day, he was at his doctor’s office when he got an email asking him to approve a $10-million wire transfer before the close of business.
It was nearly 5 p.m., and Miller said he didn’t have time to run to his car to retrieve his security token. So he signed in with the face- and voice-recognition system and approved the transaction.
“These things are extremely time sensitive,” Miller said.
Shirley Inscoe, a senior analyst at finance-industry consulting firm Aite Group, said Miller isn’t the only corporate executive who hates dealing with security tokens.
“Hard tokens are a pain in the neck,” Inscoe said. “What banks are doing is a reaction to what their customers want.”
Watson said Wells Fargo has been looking at biometric systems for six or seven years, initially studying voice-authentication programs that could identify customers ringing up call centers.
But over the last few years, mobile devices have improved, with microphones and cameras powerful enough to support biometric sign-in systems. Corporate clients also began conducting more financial transactions on their phones, which weren’t designed for them.
“You’re holding two devices at once, you’re entering all those numbers. On mobile, the experience was much clunkier,” she said.
The eye-scan system has a few limitations. It works if you wear glasses or contacts, but not if you have a glass eye. It might be thrown off if the users can’t stand still — say if they’re in a moving vehicle — or if there’s not enough light.
However, it will work even if your eyes are bloodshot.
“We are hangover compatible,” said Toby Rush, EyeVerify’s chief executive.
Must-read stories from the L.A. Times
Get the day's top news with our Today's Headlines newsletter, sent every weekday morning.
You may occasionally receive promotional content from the Los Angeles Times.