Friday, October 22, 2021

In Search of Authentication’s Holy Grail

With losses from identity-related fraud topping $52 billion, the need to

rein in identity thieves has been a pressing problem for financial

services firms.

But with banks and merchants still lost in the sea of costly new

technologies for authenticating legitimate financial transactions,

banking regulators last week fired yet another warning shot across the

industry’s collective bow, putting them on notice that it’s time to begin

making some hard — and expensive — choices.

Last Wednesday, the Federal Financial Institutions Examination Council

(FFIEC) issued its recommendation that

banks begin planning to introduce multi-factor authentication

technologies by the end of 2006.

Recognizing that the growth of online and other forms of electronic

banking have increased the opportunity for criminals to take advantage

those environments, the FFIEC has warned banks that there is no time to

waste in finding ways to reduce the risks for financial institutions and

their customers.

The guidance document does not endorse any particular technology, rather

it focuses on the need for risk-based assessment and customer awareness,

along with the need for financial institutions to implement appropriate

risk mitigation strategies, including security measures to reliably

authenticate customers accessing their financial institutions’

Internet-based services.

The FFIEC pronouncement comes just a few months after a similar report from the Federal Deposit Insurance Corporation (FDIC) noted that, ”the

widespread use of user ID and passwords for remote authentication should

be supplemented with a reliable form of multi-factor authentication or

other layered security so that the security and confidentiality of

customer accounts and sensitive customer information are adequately

protected.”

The pressure from regulators comes at a helpful time for an

authentication technology marketplace that is crowded with vendors, but

somewhat light on customers.

While one-time password tokens, biometric scanners, radio frequency ID

tags, and smart cards are becoming increasingly common for authentication

in the enterprise environment — such as logging into a corporate VPN —

many companies remain remarkably hesitant to attempt to deploy those

solutions to a mass consumer market.

Tallying the Costs

With a single incidence of credit card-based identity fraud costing the

card issuer an industry-wide average of $600, you would think banks would

be rushing to put tokens or smart cards in the hands of every customer.

But their hesitance makes a lot more sense when you consider a few of the

hurdles of deploying authentication.

First, the cost of deploying authentication on an enterprise level can be

quite significant. If you then extrapolate the initial infrastructure

costs, the price of putting an authentication device (some of which can

cost upwards of $20 apiece) in the hands of millions of users, and add in

the customer support costs for teaching every customer what to do — many

reasonable companies begin to question whether the cure is worse than the

disease.

Assuming a company decides to take the plunge and deploy one of the many

proprietary authentication solutions out on the market, if the FFIEC has

its way come 2006, it’s conceivable that every credit card, checking

account, debit card, and brokerage account, will come with its own

authentication gizmo.

Then think ahead to the day when the jerk ahead of you in the coffee shop

line — you know, the one ordering a double-shot, no foam, half-decaf,

soy milk, Grande latte? — has to stop mid-order and dash back to his

Prius because his one-time password token fell under the front seat.

As frightened of losing more and more money to identity fraud as

financial institutions and merchants may be, a future marked by customers

suffering ”token fatigue”, the annoyance and frustration that comes

from managing key chains, wallets, and purses overflowing with

authentication devices, is not much more appealing.

It follows naturally then that the Holy Grail of authentication would be

for the world to standardize on one form. But for as much as every vendor

in the space would love to be that standard, there are some pretty hefty

obstacles to reaching such a goal.

Even if there was a one-size-fits-all authentication scheme that both

consumers and corporations fell in love with, there will always be a

question: Is it even in the world’s best interest to make one or two

proprietary technologies into, quite literally, the keys to everything?

I cannot envision that since we’ve learned this lesson the hard way many

times before. As we recently saw with the scare about security holes in

the operating system for Cisco routers, a single flaw in one of the many

de facto standard technologies upon which we depend could be disastrous.

Indeed, the real ”Catch-22” of authentication is that banks and

merchants must deploy stronger authentication technologies to a mass

audience in order to make the world safer. But in doing so, if those

businesses demand compliance from the very consumers who have grown

accustomed to lackadaisical security procedures, they risk a huge

backlash that could set back the cause of stronger authentication for a

decade.

Unfortunately for everyone, as regulators get more and more agitated

about deploying authentication, they will continue driving companies

toward investing millions of dollars in technologies that could prove to

be the new Betamax — the old videotape format that, although it was

technologically superior, lost in the market to VHS.

Until authentication vendors come up with a simple and economical way to

put user-friendly and strong authentication in the hands of users, the

demands of the financial industry regulators may simply not be

attainable… which means everybody loses.

Similar articles

Latest Articles