In Search of Authentication’s Holy Grail

With losses from identity-related fraud topping $52 billion, the need to

rein in identity thieves has been a pressing problem for financial

services firms.

But with banks and merchants still lost in the sea of costly new

technologies for authenticating legitimate financial transactions,

banking regulators last week fired yet another warning shot across the

industry’s collective bow, putting them on notice that it’s time to begin

making some hard — and expensive — choices.

Last Wednesday, the Federal Financial Institutions Examination Council

(FFIEC) issued its recommendation that

banks begin planning to introduce multi-factor authentication

technologies by the end of 2006.

Recognizing that the growth of online and other forms of electronic

banking have increased the opportunity for criminals to take advantage

those environments, the FFIEC has warned banks that there is no time to

waste in finding ways to reduce the risks for financial institutions and

their customers.

The guidance document does not endorse any particular technology, rather

it focuses on the need for risk-based assessment and customer awareness,

along with the need for financial institutions to implement appropriate

risk mitigation strategies, including security measures to reliably

authenticate customers accessing their financial institutions’

Internet-based services.

The FFIEC pronouncement comes just a few months after a similar report from the Federal Deposit Insurance Corporation (FDIC) noted that, ”the

widespread use of user ID and passwords for remote authentication should

be supplemented with a reliable form of multi-factor authentication or

other layered security so that the security and confidentiality of

customer accounts and sensitive customer information are adequately

protected.”

The pressure from regulators comes at a helpful time for an

authentication technology marketplace that is crowded with vendors, but

somewhat light on customers.

While one-time password tokens, biometric scanners, radio frequency ID

tags, and smart cards are becoming increasingly common for authentication

in the enterprise environment — such as logging into a corporate VPN —

many companies remain remarkably hesitant to attempt to deploy those

solutions to a mass consumer market.

Tallying the Costs

With a single incidence of credit card-based identity fraud costing the

card issuer an industry-wide average of $600, you would think banks would

be rushing to put tokens or smart cards in the hands of every customer.

But their hesitance makes a lot more sense when you consider a few of the

hurdles of deploying authentication.

First, the cost of deploying authentication on an enterprise level can be

quite significant. If you then extrapolate the initial infrastructure

costs, the price of putting an authentication device (some of which can

cost upwards of $20 apiece) in the hands of millions of users, and add in

the customer support costs for teaching every customer what to do — many

reasonable companies begin to question whether the cure is worse than the

disease.

Assuming a company decides to take the plunge and deploy one of the many

proprietary authentication solutions out on the market, if the FFIEC has

its way come 2006, it’s conceivable that every credit card, checking

account, debit card, and brokerage account, will come with its own

authentication gizmo.

Then think ahead to the day when the jerk ahead of you in the coffee shop

line — you know, the one ordering a double-shot, no foam, half-decaf,

soy milk, Grande latte? — has to stop mid-order and dash back to his

Prius because his one-time password token fell under the front seat.

As frightened of losing more and more money to identity fraud as

financial institutions and merchants may be, a future marked by customers

suffering ”token fatigue”, the annoyance and frustration that comes

from managing key chains, wallets, and purses overflowing with

authentication devices, is not much more appealing.

It follows naturally then that the Holy Grail of authentication would be

for the world to standardize on one form. But for as much as every vendor

in the space would love to be that standard, there are some pretty hefty

obstacles to reaching such a goal.

Even if there was a one-size-fits-all authentication scheme that both

consumers and corporations fell in love with, there will always be a

question: Is it even in the world’s best interest to make one or two

proprietary technologies into, quite literally, the keys to everything?

I cannot envision that since we’ve learned this lesson the hard way many

times before. As we recently saw with the scare about security holes in

the operating system for Cisco routers, a single flaw in one of the many

de facto standard technologies upon which we depend could be disastrous.

Indeed, the real ”Catch-22” of authentication is that banks and

merchants must deploy stronger authentication technologies to a mass

audience in order to make the world safer. But in doing so, if those

businesses demand compliance from the very consumers who have grown

accustomed to lackadaisical security procedures, they risk a huge

backlash that could set back the cause of stronger authentication for a

decade.

Unfortunately for everyone, as regulators get more and more agitated

about deploying authentication, they will continue driving companies

toward investing millions of dollars in technologies that could prove to

be the new Betamax — the old videotape format that, although it was

technologically superior, lost in the market to VHS.

Until authentication vendors come up with a simple and economical way to

put user-friendly and strong authentication in the hands of users, the

demands of the financial industry regulators may simply not be

attainable… which means everybody loses.

RELATED NEWS AND ANALYSIS

• Ethics and Artificial Intelligence: Driving Greater Equality

  FEATURE |  By James Maguire,
  December 16, 2020

• AI vs. Machine Learning vs. Deep Learning

  FEATURE |  By Cynthia Harvey,
  December 11, 2020

• Huawei’s AI Update: Things Are Moving Faster Than We Think

  FEATURE |  By Rob Enderle,
  December 04, 2020

• Keeping Machine Learning Algorithms Honest in the ‘Ethics-First’ Era

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 18, 2020

• Key Trends in Chatbots and RPA

  FEATURE |  By Guest Author,
  November 10, 2020

• Top 10 AIOps Companies

  FEATURE |  By Samuel Greengard,
  November 05, 2020

• What is Text Analysis?

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  November 02, 2020

• How Intel’s Work With Autonomous Cars Could Redefine General Purpose AI

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 29, 2020

• Dell Technologies World: Weaving Together Human And Machine Interaction For AI And Robotics

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  October 23, 2020

• The Super Moderator, or How IBM Project Debater Could Save Social Media

  FEATURE |  By Rob Enderle,
  October 16, 2020

• Top 10 Chatbot Platforms

  FEATURE |  By Cynthia Harvey,
  October 07, 2020

• Finding a Career Path in AI

  ARTIFICIAL INTELLIGENCE |  By Guest Author,
  October 05, 2020

• CIOs Discuss the Promise of AI and Data Science

  FEATURE |  By Guest Author,
  September 25, 2020

• Microsoft Is Building An AI Product That Could Predict The Future

  FEATURE |  By Rob Enderle,
  September 25, 2020

• Top 10 Machine Learning Companies 2021

  FEATURE |  By Cynthia Harvey,
  September 22, 2020

• NVIDIA and ARM: Massively Changing The AI Landscape

  ARTIFICIAL INTELLIGENCE |  By Rob Enderle,
  September 18, 2020

• Continuous Intelligence: Expert Discussion [Video and Podcast]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 14, 2020

• Artificial Intelligence: Governance and Ethics [Video]

  ARTIFICIAL INTELLIGENCE |  By James Maguire,
  September 13, 2020

• IBM Watson At The US Open: Showcasing The Power Of A Mature Enterprise-Class AI

  FEATURE |  By Rob Enderle,
  September 11, 2020

• Artificial Intelligence: Perception vs. Reality

  FEATURE |  By James Maguire,
  September 09, 2020