Tag Archives: identity

Identity & Authentication – Time for a Financial Services digital services passport?

Endava has been helping a UK IT industry association with some thought leadership pieces recently, and I’ve been permitted to share my contribution before the report is published.

We’ve contributed to two essays, and I’ll post a link on this site when they are released in early 2014 . This is the second part of two posts – you can read the first one on user experience for banking customers here.

Identity & Authentication – Time for a Financial Services digital services passport?

The answer here lies in three distinct areas:

  1. The Authentication Conundrum
  2. The Internet Identity Crisis
  3. The Organisational, Political and Social Resistance to Single Sign On.

The Authentication Conundrum

Let’s take one of the biggest retail banks in the UK. To log into their online banking systems they have a variety of authentication methods:

  1. Website which requires a physical security device to create a one-time numeric password
  2. Website for their credit card product which requires the user to enter specific digits of their password
  3. Telephone banking which requires a requires the user to enter specific digits of their telephone banking password
  4. Mobile app which requires a 5 digit numeric password
  5. ATM machines which require a 4 digit numeric password
  6. Message board/ forum which requires a username (none of the other services require this) as well as a password with a minimum of 8 characters with a combination of numbers, symbols and mixed case letters.

These methods are not only inconsistent, they negatively impact the users’ experience of the online servicing channels.

Organisations need a unified authentication standard. I understand that an ATM requires a physical card, so it can have the easiest authentication of only 4 characters, but why does the message boards (which have no account access) need to be more complex than the mobile banking app?

The Internet Identity Crisis

In order to trust online retailers with our private details, we use SSL security certificates. Certificates are not just for encryption, they are a means of ensuring we are buying from a company who is who they say they are.

It’s now time for the other way round – for customers to prove who they are.

If a user books a room on Air B&B, they don’t want to stay at a mass murderer’s house, and the house owner doesn’t want a mass murderer staying with them either. Both need to have a level of trust on the network – usually achieved by previous transactions being validated.

I have an eBay account with 100% positive feedback amassed over a few years and over 500 ratings, both buying and selling. So when I join a site such as TripAdvisor, or Air B&B, that eBay ‘score’ should count for something. I’m the same person. And this is the Internet’s Identity Crisis.

The Internet needs a centralised Single Sign On system to link all accounts into a common identity. Facebook and Twitter both have their own systems in place (Facebook Connect and Sign in with Twitter), but the issue here is about Trust. I don’t trust those two organisations to log into my bank, tax or healthcare providers.

I do trust my bank though. And so do most people. Whilst the media attempts to discredit banks, there aren’t mass cash withdrawals from banks because the public fundamentally does trust them.

In my view, to solve the Internet Identity Crisis, banks should build a Single Sign On system which uses similar OAuth based technologies to the social networks which can be used by any third-party website. The system provides authentication to the website, but won’t allow any other details to be exposed unless the user explicitly permits.

Only then will the Internet Identity Crisis be solved.

The Organisational, Political and Social Resistance to Single Sign On.

Technically, Single Sign On has been solved by a number of organisations. This leaves three resistances to Single Sign On: Organisational, Political and Social.

Metro newspaper headline. Source: weareblink.com
Metro newspaper headline. Source: weareblink.com

Traditional organisations are built in silos. When one part of an organisation builds a system, it’s uncommon for that part to comply with existing authentication systems unless specifically mandated, which is also uncommon. This leads to the issues outlined in the retail banking example above, with six systems, each with different passwords and password complexity.

Political resistance is encountered where a specific authentication system isn’t adopted because of perceived risk or perceived non-standard technical constraints.

Social resistance are attention grabbing headlines such as the one shown above. These headlines undermine the credibility and security of large-scale websites and digital service providers, creating resistance to adopt new technologies. And this doesn’t help anyone.

 

Five Key Internet Megatrends: 5. Trust

Credit: http://www.flickr.com/photos/brenda-starr/3509344100/
The quest for identity management continues
Credit: http://www.flickr.com/photos/brenda-starr/3509344100/

Key points:

  • We need a Single Sign On across the web, from a truly trusted brand
  • Sellers need to know who customers are, just as much as we need to identify real retailers
  • Web sites that build a reputation score will need to transfer their data

To give you an idea of how ridiculous passwords have become, let’s look at my bank. My bank is one of the most technically advanced banks, and has created some great innovations.

I use their website banking, which uses a log in process that has been designed to deter users from using the service. It takes two screens, a physical device to generate a random number, and various other forms of identity.

And then take their mobile app. With a simple 5 digit numerical passcode, I can do almost anything I can do via the website equivalent. Either the security department went on holiday when the mobile app was released, or they came to their senses to make it easier for customers to access their account. I hope it was the latter but it was probably the former.

Passwords are one of the biggest nuisances of the Internet. Another nuisance is multiple accounts. The number of accounts we have, and continue to keep creating, has got out of control. Not only is it out of control, but we then have security experts telling us not to use the same password on multiple sites. And personally I won’t use a password manager because I fear they are all run by some spotty (but clever) teenager from his bedroom, and one day he’ll have access to lots of people’s accounts and go on a spending spree at Amazon.

If I see a website offering to use my Facebook or Twitter credentials to register or login to a website, I’ll always take the offer. It’s so much easier.

The problem with websites offering Facebook or LinkedIn or Twitter is that the social network gets to keep the customer data, not the website we’re registering with. And also, whilst I’m happy to use a social network to log me on to various websites, I’m not sure I would use Facebook connect for my healthcare or pension site.

We need a Single Sign On system across the internet from a trusted party. It needs to be trusted by both users and website owners – from my bank to the Inland Revenue (whose authentication system is extremely rigid).

Once we have the Single Sign On system, it needs to keep a track of our various reputation scores. I have an eBay account with 100% positive feedback amassed over a few years and over 500 ratings, both buying and selling. So when I join a site such as TripAdvisor, or AirBandB, that eBay should count for something.

As the Internet continues to become more complex, retailers need to know their customers are who they say they are, and can be trusted. We’ve been using SSL security certificates on the Internet for a long time now, and as a means of ensuring we are buying from a company who is who they say they are. It’s now time for the other way round – for customers to prove who they are.

This type of system is called VRM (Vendor Relationship Management). It’s all about making the Internet a level playing ground, establishing trust that we take for granted in the real world, and migrate it to the virtual one. All with the aim of being treated as a real human being rather than an IP address and cookie jar.

The Internet trust revolution – part 2

Internet_trust

Yesterday I started a two part post on trust. The UK has just experienced an abuse of trust in the food chain, and I’ll now discuss how trust works on the Internet.

The next few years will see the trusted relationship become two way. Individuals will have personal certificates to prove we are who we say we are.

Banks use a variety of physical devices to check we have our bank details and a PIN number. However If I want to vote online, I have to prove I am Bradley Howard to the government. Other companies will need to know I am definitely Bradley Howard before they’ll let me use their service or buy their products.

I went to an event this week discussing the new ‘Sharing Economy’. One of the speakers described the Sharing Economy as the third revolution of the Internet. The first revolution was e-commerce, the second was social networks and now there are marketplaces to share anything from homes (Air B&B), cars (Lyft) to tasks (Amazon Turk).

A sharing economy requires both people in the transaction to trust each other. If you book a room on Air B&B you don’t want to stay at a mass murderer’s house, and the house owner doesn’t want a mass murderer staying with them either. Both need to have a level of trust on the network – usually achieved by previous transactions being validated.

eBay did this successfully with feedback, percentage feedback, stars, Powerseller status and so on.

 

There is an opportunity here to use the trust earned on one network, such as eBay, to another site, such as Air B&B.

Otherwise you need to keep starting from scratch (i.e. untrusted) on each new site. And this may drive better behaviour across all sites because users won’t want a reputation earned over several years, eroded by silly behaviour on another sharing site.

 

Identity crisis

95219619_b78a1383641

The photo above was taken eight years ago and shows my parents and my identical twin daughters Shelley and Natalie. I’m pretty certain that it’s my dad on the left and my mum on the right, however I can’t tell which baby is Shelley or Natalie.

Before I joined IMG I worked for a Finnish telco company called Sonera. At Sonera we enabled consumers to use mobile phones to ‘sign’ – to prove their identity. We used the SIM card in the phone as a secure, unique system. At the time (late 1990s) the system was designed from the ground up to be secure enough to sign mortgage papers.

As the Internet has matured over the last few years, the issue of identity hasn’t gone away, however it has changed subtly. It’s now possible to create an anonymous Twitter user, build up a few hundred followers and start a malicious rumour. This is why I find it hard to digest newspapers who reference Twitter for their news content.

It is quite secure for consumers to run a Google search for a product, land on a site they’ve never seen before, and hand over their credit card details. The main reason for this security is that your card issuer (bank) will provide a level of reimbursement if the website fail to deliver the goods.

However we are soon going to find that it’s necessary for end users, the consumers, to have a valid identity.

We’ve read how some of the people accused in the British riots have been banned from using their Facebook account (which is ridiculous because they probably phoned someone as well, yet their mobile isn’t being revoked, but I digress). There is nothing to stop that person from creating a new Facebook account straight away. In fact, Facebook’s friend suggestion tool is so accurate that it will help recreate all that user’s friends as well.

In order for the Internet to truly grow up and allow us to vote online and perform all the duties we’ve previously done in the Post Office, we need to sort out digital identities. Digital identities in the UK have always been seen in a negative light, despite the irrational xenophobic fear whipped up by some of our national newspapers. However we’re going to need to jump over this fear if we can issue these digital identities.

These digital identities will be used to sign into most websites and will work across mobile, web, TV and anything else that springs up.

In order to apply for a digital identity, financial services organisations will require stringent checks – just like a passport, but probably with someone physically checking the photos and documents face to face. This is why Facebook Connect isn’t the right platform for an Internet-wide ID platform.

The Internet is truly global, and the identities will need to work globally too. They will probably be government run, although it’s feasible for some of the larger financial services companies to run them.

Like so many technology vendors, Sonera was doing the right thing, just at the wrong time – about 15 years too early.