In Search of Authentication's Holy Grail
Columnist Ray Everett-Church looks ahead to the day every checking account, credit card and coffee honor card comes with its own authentication gizmo. How do we avoid ending up in that mess?
But with banks and merchants still lost in the sea of costly new technologies for authenticating legitimate financial transactions, banking regulators last week fired yet another warning shot across the industry's collective bow, putting them on notice that it's time to begin making some hard -- and expensive -- choices.
Last Wednesday, the Federal Financial Institutions Examination Council (FFIEC) issued its recommendation that banks begin planning to introduce multi-factor authentication technologies by the end of 2006.
Recognizing that the growth of online and other forms of electronic banking have increased the opportunity for criminals to take advantage those environments, the FFIEC has warned banks that there is no time to waste in finding ways to reduce the risks for financial institutions and their customers.
The guidance document does not endorse any particular technology, rather it focuses on the need for risk-based assessment and customer awareness, along with the need for financial institutions to implement appropriate risk mitigation strategies, including security measures to reliably authenticate customers accessing their financial institutions' Internet-based services.
The FFIEC pronouncement comes just a few months after a similar report from the Federal Deposit Insurance Corporation (FDIC) noted that, ''the widespread use of user ID and passwords for remote authentication should be supplemented with a reliable form of multi-factor authentication or other layered security so that the security and confidentiality of customer accounts and sensitive customer information are adequately protected.''
The pressure from regulators comes at a helpful time for an authentication technology marketplace that is crowded with vendors, but somewhat light on customers.
While one-time password tokens, biometric scanners, radio frequency ID tags, and smart cards are becoming increasingly common for authentication in the enterprise environment -- such as logging into a corporate VPN -- many companies remain remarkably hesitant to attempt to deploy those solutions to a mass consumer market.
Tallying the Costs
With a single incidence of credit card-based identity fraud costing the card issuer an industry-wide average of $600, you would think banks would be rushing to put tokens or smart cards in the hands of every customer. But their hesitance makes a lot more sense when you consider a few of the hurdles of deploying authentication.
First, the cost of deploying authentication on an enterprise level can be quite significant. If you then extrapolate the initial infrastructure costs, the price of putting an authentication device (some of which can cost upwards of $20 apiece) in the hands of millions of users, and add in the customer support costs for teaching every customer what to do -- many reasonable companies begin to question whether the cure is worse than the disease.
Assuming a company decides to take the plunge and deploy one of the many proprietary authentication solutions out on the market, if the FFIEC has its way come 2006, it's conceivable that every credit card, checking account, debit card, and brokerage account, will come with its own authentication gizmo.
Then think ahead to the day when the jerk ahead of you in the coffee shop line -- you know, the one ordering a double-shot, no foam, half-decaf, soy milk, Grande latte? -- has to stop mid-order and dash back to his Prius because his one-time password token fell under the front seat.
As frightened of losing more and more money to identity fraud as financial institutions and merchants may be, a future marked by customers suffering ''token fatigue'', the annoyance and frustration that comes from managing key chains, wallets, and purses overflowing with authentication devices, is not much more appealing.
It follows naturally then that the Holy Grail of authentication would be for the world to standardize on one form. But for as much as every vendor in the space would love to be that standard, there are some pretty hefty obstacles to reaching such a goal.
Even if there was a one-size-fits-all authentication scheme that both consumers and corporations fell in love with, there will always be a question: Is it even in the world's best interest to make one or two proprietary technologies into, quite literally, the keys to everything?
I cannot envision that since we've learned this lesson the hard way many times before. As we recently saw with the scare about security holes in the operating system for Cisco routers, a single flaw in one of the many de facto standard technologies upon which we depend could be disastrous.
Indeed, the real ''Catch-22'' of authentication is that banks and merchants must deploy stronger authentication technologies to a mass audience in order to make the world safer. But in doing so, if those businesses demand compliance from the very consumers who have grown accustomed to lackadaisical security procedures, they risk a huge backlash that could set back the cause of stronger authentication for a decade.
Unfortunately for everyone, as regulators get more and more agitated about deploying authentication, they will continue driving companies toward investing millions of dollars in technologies that could prove to be the new Betamax -- the old videotape format that, although it was technologically superior, lost in the market to VHS.
Until authentication vendors come up with a simple and economical way to put user-friendly and strong authentication in the hands of users, the demands of the financial industry regulators may simply not be attainable... which means everybody loses.