Vice President, VeriSign India
Growing dependence on online business hasn’t gone unnoticed by opportunists looking to exploit this convenience of consumers.
Every day, people are finding new reasons to go online to access goods and services. Transacting online avails to consumers convenience and the kind of broad selection that local businesses just can’t touch.
And there’s another important reason: transacting online keeps consumers out of their cars. A recent survey of adults who use the Internet found that fuel prices prompted them to transact online more often, and for a wider range of goods and services.
Unfortunately, this growing dependence on online business hasn’t gone unnoticed by opportunists looking to exploit this convenience of consumers.
Identity theft and online fraud are on the rise. Between December 2007 and February 2008, researchers measured a 70% increase in such fraud acts as phishing, in which e-criminals use convincing-looking emails to lead consumers to fraudulent, but just as convincing, Web pages. When Internet users fall for phishing scams, they can unwittingly hand over an array of sensitive personal information, including user names, passwords, credit card numbers and Social Security Numbers.
The costs are dear. A Gartner study reported that businesses lost US$ 3.2 billion due to phishing in 2007. In addition to monetary costs, the targeted company also suffers immeasurable damage to its brand.
Beyond User Names and Passwords
Facing a climate in which both opportunities and threats are growing daily, online businesses are looking for ways to strengthen the authentication they provide online.
Among these is two-factor authentication (2FA), a stronger form of verification that has been successfully implemented within enterprises for 15 years. Two-factor authentication combines what the end-user knows— user name and password — with what he has – such as, a one time password (OTP) generated by a physical device. A user can’t successfully log in without both. It’s a combination that makes it very diffi cult for e-criminals to gain authorised access to accounts and information, because the thieves must possess not only the username and password, but the consumer’s physical credential as well.
To use 2FA, consumers acquire a credential – available in a variety of convenient formats – that generates an OTP for every login. During an online session, this OTP is entered along with the user’s usual account name and password. Users achieve strong authentication and secure their identities when the site verifi es the OTP and matches it to the user.
It’s true that the models implemented over a decade ago to deliver 2FA to the enterprise don’t meet the needs of today’s complex and convenience-oriented consumer environment. Yet 2FA for consumers is not beyond the reach of organisations seeking to protect their customers from fraud – and to differentiate themselves from competitors by offering state-of-the-art online security. Still, concerns about the convenience and cost of this protection seem to stubbornly cloud most discussions of 2FA. It doesn’t take long, however, before a little research reveals that these perceived shortcomings amount to little more than a fragile set of fi ve myths. Let’s visit each, and discuss where the myth ends and reality begins.
Myth No. 1: Consumers will need to carry dozens of credentials with them to log in to all their online accounts, and this will make 2FA a burden for users and impractical for site operators.
This is the so-called “token necklace effect” that critics claim has haunted 2FA, but the spectre of a single consumer laden with multiple credentials isn’t inevitable. A shared network of member organisations could make 2FA easier and more convenient than ever by allowing users to carry a single, portable credential that is recognised on all member sites. (Credentials today are available as a key fob token, credit card sized credential, or even software that’s downloaded to a user’s cell phone – all of which generate an OTP.) When companies join a 2FA network, much like an ATM network, the dreaded necklace of tokens is unnecessary.
Myth No. 2: Judging from what enterprises have spent on their implementations, 2FA is just too expensive for the consumer market. 2FA is now available through managed services and shared network models, which have allowed strong authentication to break out of the premise-based enterprise model and cost-effectively scale 2FA protection to a consumer audience.
Online businesses now can take advantage of third-party hosting of the infrastructure needed for 2FA, along with easy integration of Web services, to reduce deployment expenses and share maintenance costs with other network members. This reduces both short and long-term investment requirements.
Myth No. 3: It’s risky to invest in a 2FA platform based on today’s consumer preferences, when tomorrow’s consumer preferences could be totally different. Organisations can “future-proof” their 2FA offering by choosing solutions that comply with the open standards of the Open AuTHentication (OATH) reference architecture. With an OATH-compliant 2FA solution, companies can avoid becoming locked into one vendor’s authentication credentials. OATH-compliant systems can support any similarly compliant form factor, including tokens, cell phones and PDAs. More than 70 manufacturers produce OATH-compliant solutions today, providing organisations an enormous variety of options for the consumers they serve.
Myth No. 4: Whatever advantage the 2FA network model may offer, it’s not enough to draw new members into these alliances.
Aside from the obvious benefi ts to consumers – using a single credential across thousands of sites – and the cost advantages that come with sharing network expenses with other members, signing on to a 2FA member pays other business dividends. For instance, the ability to transfer the trusted relationship across all network members can be leveraged to strengthen online affi liation and build sales channels. For example, eBay and PayPal both belong to the same 2FA network, an online retailer can notify those companies’ communities that the same tokens consumers use for eBay and PayPal can also be used at the retailer’s site. That represents a competitive advantage in a market where differentiation can be tough to achieve. And by leveraging their reputation as an innovator who puts the security of customers fi rst, businesses can burnish their own brands in ways that can generate new sales opportunities.
Myth No. 5: Consumer 2FA is long on hype but short on real-world successes. The brief history of consumer 2FA has certainly not rewarded organisations using premise-based, proprietary systems and credentials – in other words, credentials that can only be used at a single online business. If consumer 2FA implementations have stalled, it’s because these models have not delivered the results, effi ciencies and scale they promised. That’s not the case with managed service providers such as VeriSign, which have successfully implemented the network delivery model and have brought on an impressive number of online brands.
BATTLING THE IRRELEVANT
These fi ve myths all mirror outdated perceptions of 2FA, perceptions based on decade-old enterprise models that are irrelevant to today’s consumer paradigm. Today, successful online businesses are leveraging industry standards, managed services and shared networks to deliver comprehensive two-factor authentication for consumers.
Poking holes in these myths merely requires a balanced assessment of the risks faced by consumers, the cost of implementing 2FA, and the resulting quality of the consumer’s online experience. Doing so will reveal why it makes good business sense to protect a company’s customers – and its own vital interests – with a strong two-factor authentication solution.