Just look at your phone to log-in
Thanks to eye-scanning technology, millions of Americans can now access their bank accounts by merely looking at their phones. It even works with a hangover.
The technology is being introduced across the country by Wells Fargo and, as Fortune has learned, by dozens of regional banks and credit unions. Its arrival means consumers can jettison their bank passwords and log-on by looking instead
Here’s how it works, including a video, and what it means for consumers and security.
Apps and Your Eyes
Everyone is familiar with the use of fingerprints to establish someone’s identity. Now, banks are doing the same with our eyes, but not in the way you might think. They don’t rely on a customer’s iris, but instead they focus on the pattern of blood vessels behind the whites of the eyes.
In practice, this involves customers opening an app and pointing a smartphone cameras at their faces. The bank’s app compares the eyes that appear in the camera image to one the customer has previously stored stored in the app. If they match, customers can check their bank balance, transfer money, and pay bills.
The technology is already available to some of Wells Fargo’s corporate customers, and will soon be available to everyone who has a bank account there. It is also coming to Citigroup by the end of the year.
Meanwhile, more than 30 banks and credit unions like Arizona Federal Credit Union and the Hawaii State Credit Union are adding eye-scanning to their apps this month. Here’s a very short video without audio that shows how it works:[googleapps domain="drive" dir="file/d/0BzqWw1q4x68_dFRtOTF0ZE91akE/preview" query="" width="640" height="480" /]
According to Toby Rush of EyeVerify, the Kansas-based company that supplies the technology, eye-scanning is as accurate as fingerprints, and works about 99.8% of the time.
“We’re hangover compatible,” Rush joked, explaining that the eye-scanning works no matter how bleary a customer’s eyes may be. He adds that the technology is difficult to fool since its “liveness detection” is very hard to fool. (Fingerprint sensors, on the other hand, can be tricked with Play-Doh).
He adds that the eye-verification process relies on a copy of the eye-print stored on a customer’s device, not on an external server controlled by the bank. This is important since a company database of eye-prints would be a tempting target for hackers—especially as, unlike passwords, eye-prints or fingerprints can’t be reset.
Usernames and passwords, which customers have long used to prove their identity, are a lousy form of security. Major data breaches at banks, and at retailers like Target and Home Depot, have resulted in hackers compromising millions of accounts.
That’s why more companies are turning to biometric tools like eye-prints as an alternative way to identify their customers.
Get Data Sheet, Fortune’s technology newsletter.
“Biometrics is just pattern matching,” said Rush, adding that the technology used to be prohibitively expensive because it would require a company to issue a device to all customers to capture their eye-prints or fingerprints. But now that most people own smartphones, it can be accomplished with just an app.
Eye-prints, of course, are just one way banks can use customers’ bodies to identify them. As the New York Times reported, Bank of America and JP Morgan already offer fingerprint sign-ins to millions, while Citigroup identifies credit card customers by their voice.
Meanwhile, financial institutions are working with security company Capco to spot fraud with even more futuristic techniques like measuring blood pressure and body heat.
But all this doesn’t mean customers’ old standby—the username and password—is going away anytime soon.
Layers of Security
Just because a company offers a superior feature doesn’t mean people will use it. The banks, for instance, are likely to discover that millions of their customers don’t want to download an app — let alone use that app to scan their eyes.
Kristen Bernard of NCR, which is helping dozens of banks offer the eye-scanning, acknowledges this. She says that none of the banks involved plan to force the technology on their customers, and will instead allow them to keep logging on to their account the way they do already.
“Biometrics for now are just one alternative,” she said, but added that many people find the eye-scan to be a more convenient way to log-in with a mobile device than passwords.
Surprisingly, trial experiments show eye-scanning is popular with older customers, according to Bernard. She says seniors have responded well to marketing that invokes Mission Impossible—an old TV show featuring lots of high tech gadgetry.
In the long run, though, it’s unlikely that one single form of sign-in will become dominant. Instead, the banking industry is seeing the proliferation of new technology as a way to introduce “layered security.” The idea is that for, access to sensitive account information, people could add several forms of security—say a thumbprint plus a password plus an eye scan—to verify their identities.
So when will this arrive at a bank near you? Very soon if it’s not there already. Other confirmed banks include Service Credit Union in New Hampshire and Republic Bank in Kentucky. NCR will release full-list of participants soon. So don’t, uh, blink or you might miss the news.