How Bank Apps Know You’re You

If we’ve learned one thing from years of hacks and phishing, it’s this: A username and a password alone aren’t strong enough to protect our most precious accounts.

So why don’t our bank apps require us to pile on extra security settings?

Security experts (and our own columnists) have long urged people to turn on two-factor authentication or other tools to secure their apps. Banks, arguably the most sensitive apps on our smartphones, don’t often make you use any of that. 

Instead, banks run a lot of software in the background to make sure you’re really you. Among several factors considered during logins are: the time of day, location, device IP address, mobile carrier, and if any links prompted users to open the app. If anything differs from your unique “fingerprint,” your bank might suspect a hacker or a phishing attempt, and prompt you to take more steps to verify your identity.

The four biggest U.S. consumer banks by deposits, Bank of America Corp.,BAC -1.64%decrease; red down pointing triangle Citigroup Inc., C 0.64%increase; green up pointing triangle JPMorgan Chase JPM -0.13%decrease; red down pointing triangle and Wells Fargo WFC 0.88%increase; green up pointing triangle & Co., say they run multiple layers of authentication and monitoring tools from the moment users open the app until they log out.

“We have multiple and redundant controls that are not always visible to our end user,” said Tami Hudson, Wells Fargo’s executive vice president and cybersecurity client officer. “Those things really help us to proactively identify login attempts that we would define as risky or potentially risky.”

What the banks do

In the past, you might have been asked to answer security questions—“What was the name of your first pet?” 

Now, newer behind-the-scenes measures take precedence, say security experts and banking software providers. Some compare a user’s password-typing speed and cadence with that person’s prior attempts. Others analyze the pressure with which credentials are entered by checking how many pixels are covered when the user taps each key.

This mélange of authentication practices is found largely in banking apps because the stakes are higher. Banks know if customers have any concerns about the safety of their money, they’ll go elsewhere. On top of that, banks must abide by federal regulations to use secure data management practices, such as end-to-end encryption.

All of that weighs on a bank’s decision to approve a login or transaction, said John Buzzard, lead fraud and security analyst at Javelin Strategy & Research, which assesses risks in digital banking security. 

“If there is a sudden about-face somewhere, there’s an opportunity for banks to stop it, pause it or request more information,” he added.

These tools aren’t failproof. If you have your login credentials stored on your smartphone, a phone thief who also knows your passcode may still be able to use autofill to log in. “But the secret sauce determines how far they go once they get through,” Mr. Buzzard said.

Even if these defenses are breached and money is stolen—more often through victim manipulation than actual hacking—the funds are generally protected in other ways, too.

What you can do

The four banks we spoke to say protecting users from fraudsters means not revealing every tool they have at their disposal. Still, each shared information about its techniques.

All four support Face ID and Touch ID for Apple devices, and fingerprint sign-on for Android phones. Biometrics can make signing in easy for you and harder for people who aren’t you, Mr. Buzzard said. The apps also automatically log you out after a short period of inactivity.

There might be other security layers, such as transaction alerts, two-factor (aka two-step) authentication and single-use passwords, that you choose to activate. Banks don’t turn everything on by default because they don’t want to create too much friction, Mr. Buzzard said.

If you do want to do more, here are security options offered by the individual banks:

Bank of America: The bank will ask to verify your identity via two-factor at various times, like when you’re making a transfer or using an unrecognized device. But you can have it prompt with a code via text or email every time you log in on the mobile app.

Find the tool in the bank’s Security Center, which has a checklist detailing other ways to improve your account’s security.
 

Chase: When you log on for the first time, or use a device the bank’s servers don’t recognize, Chase sends an authentication code to the customer via phone, text or email.

Chase customers can also opt into extra security in settings. You can require the entry of a one-time passcode delivered by phone, text or email alongside the username and password for every website login attempt.
 

Citibank: The Citi Mobile app doesn’t automatically ask users to turn on two-factor authentication. Go to Profile > Security Center > 2-Step Authentication and turn the setting on. Once you do, logging in will require a one-time code sent via text or call. Note: Citi is in the process of updating its mobile app, so the process may vary.
 

Customers can also activate account alerts, which will text or email you when anything unusual happens with your balance, payments spending and account activity.

Wells Fargo: Go to the app’s Security & Profile section to turn on two-step authentication. Once activated, customers will be prompted via text, email, call or push notification to enter an access code every time they sign-on. (You can also opt for this requirement to be waived when you’re logging into your phone’s app.)
 

Even if you haven’t activated two-step authentication, Wells Fargo might send a one-time password to authenticate you during logins, or when transferring and receiving money from new non-Wells Fargo accounts.

For extra login protection, you can buy a $25 portable security device from Wells Fargo. It generates and displays unique random passcodes every 60 seconds. But if you lose it, you’ll have to call customer support.
 

For more WSJ Technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.

Write to Dalvin Brown at dalvin.brown@wsj.com