Mobile banking users favor biometrics but lag in multifactor adoption

A new study highlights a critical divide in how mobile banking users adopt security tools, embracing some while overlooking others, leaving their digital defenses vulnerable. With cyber threats like phishing, malware, and SMS spoofing on the rise, understanding what drives customers to accept protective measures or reject them has become a pressing concern. 

The investigation, titled “Strengthening Cybersecurity Resilience: An Investigation of Customers’ Adoption of Emerging Security Tools in Mobile Banking Apps,” published in Computers, comes from Newcastle Business School at the University of Northumbria. Led by Irfan Riasat, Mahmood Shah, and M. Sinan Gonul, the study draws on interviews with 22 mobile banking users in Pakistan as a case study. It examines how perceptions of usefulness, ease of use, trust, and awareness influence the adoption of tools like biometric authentication, SMS alerts, strong passwords, and multifactor authentication (MFA). While the findings stem from Pakistan, they reflect broader trends in mobile banking security worldwide.

The study’s first key question - what drives the acceptance and adoption of security tools - reveals a strong preference for biometric authentication, especially fingerprint recognition. Users value its simplicity and perceived security, citing the uniqueness of biometric traits as a shield against unauthorized access. Its ease of setup, requiring little technical skill, makes it widely appealing. SMS alerts also rank high, prized for delivering real-time updates on account activity, such as transactions or login attempts. Often powered by artificial intelligence, these alerts help users feel in control and quickly spot suspicious actions, enhancing their practical value.

However, adoption falters with multifactor authentication. Despite its ability to bolster security through multiple verification steps, like a password paired with a one-time code, MFA sees limited use. Many users are unaware of it or lack the know-how to activate it, a stark contrast to the confidence expressed by those who do adopt it, who see it as a powerful safeguard. Strong passwords, meanwhile, retain a foothold. Users trust complex alphanumeric combinations as secure, though they admit to practical drawbacks, like forgetting them or risking exposure in public settings.

The second question - how trust, ease of use, and usefulness shape attitudes and intentions - shows these factors working in tandem. Trust is a cornerstone, particularly for tools guarding sensitive financial data. Biometric authentication earns high confidence because users believe its traits can’t be replicated, amplifying its usefulness. SMS alerts gain trust through their speed and reliability, making them a go-to for account monitoring. For MFA adopters, trust flows from the extra security layer, though its complexity deters others. Strong passwords hold trust for those who see them as tough to crack, but their usability challenges temper enthusiasm.

Awareness and knowledge, the third focus, emerge as gatekeepers to adoption. Users gravitate toward tools they understand and can easily implement. Biometrics and SMS alerts thrive here, with their benefits widely recognized and activation straightforward—often just a bank request for alerts. MFA, however, struggles. Many participants in the Pakistan case study hadn’t heard of it or didn’t know how to set it up, despite its potential to counter threats. This mirrors a global challenge: without awareness, even robust tools languish. Passwords show a similar pattern, with spotty knowledge of best practices like avoiding simple or reused codes, leaving users exposed.

In Pakistan, the case study context underscores these trends against a backdrop of escalating cyber risks. The Pakistan Telecommunication Authority notes the financial sector faces the highest malware attack rates, with phishing a close second. A surge in cyberattacks in August 2024 prompted banks to warn against public Wi-Fi and unknown sites, while smishing - fraudulent SMS scams - has spiked, targeting mobile banking credentials for dark web sales. The State Bank of Pakistan has adopted global standards, like the National Institute of Standards and Technology’s Cybersecurity Framework, pushing for two-factor authentication and real-time alerts. Yet, the study suggests these measures haven’t fully penetrated user awareness, a gap likely echoed in other regions with similar digital growth.

The researchers propose an updated Technology Acceptance Model (TAM), tailoring it to security tools. They position knowledge and awareness as a moderator, arguing users must first know a tool exists and grasp its setup before assessing its ease, usefulness, or trustworthiness. Trust takes center stage as a mediator, directly influencing attitudes and intentions. The model highlights a feedback loop: trust enhances perceived usefulness, and usefulness bolsters trust. In security contexts, where privacy is critical, this dynamic is key - users won’t adopt what they don’t trust, regardless of utility.

These findings resonate globally, offering insights for regions where mobile banking outpaces cybersecurity literacy. Biometrics’ popularity signals a hunger for intuitive, reliable tools, but MFA’s neglect points to an education gap. Financial institutions and app developers could address this by simplifying MFA activation and launching awareness campaigns - perhaps via social media - to spotlight its value. Policymakers might mandate standardized security features across platforms, ensuring consistency and clarity. Device manufacturers could also refine biometric hardware to counter risks like spoofing, which few users in the study recognized.

The study’s qualitative lens, while rich, limits broad generalization, and its Pakistan focus invites comparative research elsewhere. Future work could test the model with quantitative data or explore demographic influences like age or profession.