Mike Davies: Online Identity and Trust in EMEA

Abbey (a major UK retail bank) have just published the results from a study which says that 68% of theirs customers don't want Chip and PIN:

http://www.finextra.com/fullstory.asp?id=18250

I think this is for two main reasons:

1) Some people just don't want additional security
I totally understand that not every customer wants additional security from the hassle point of view but I really think Abbey (and other organisations) are missing a major point.

If 32% of your customers want something is that not reason enough to offer it to them?

Leave the other 68% without any 2nd factor for the time being and see what happens. I bet that a significant proportion of them will move over time to want more security, especially if they themself have fraud issues on their Abbey or other online acocunts.

2) The form factor they were offered was the Chip and PIN reader

I am not surprised that when shown the Chip and PIN style device that people do not want it, people just don't want to carry around another device with them. There are however other devices, such as credit card style tokens with an LCD which generates a OTP which are much more user friendly. There are even ones with a Challange and response functionality available totally replacing the need for a seperate Chip and PIN reader.

Posted by Mike Davies at 10:28 AM | Permalink | Comments (0) | TrackBacks (0)

So this post is aimed at pointing out something that affects every online organisation who has account based relationships. I believe there is a disconnect between what the sites think their consumers want and what they actually want...anyway, here goes...

When looking at consumer authentication for online accounts there are three things an organisation usually considers:

Security: How much security should I apply to protect that account?

Cost: How much can I afford to spend to prevent accounts being taken over?

Usability: How can I minimise the impact on the consumer?

This diagram summarises the debate form an online organisations point of view:

As you can see the online bank might take security as the primary consideration. I am not saying they would not be concerned about cost or usability, just that they would likely put security first.

An online social networking site might look at it differently. The account is unlikely to be targeted by a fraudster so security is not the biggest concern, instead because their business model means they are effectively giving the service away for free the social networking site will probably be more worried about cost.

Similarly, the online retailer would probably worry most about usability for the consumer, reasoning that the more "clicks" that a consumer has to make the more unlikely they are to make it to the checkout basket.

These are generalisations and as such are generally true but not every consumer thinks the way an online organisation does.

Some consumers who go to online social networking sites are worried about security.

Some online banking customers are more worried about the usability than the security

Some online retailing customers are happy to sacrifice an element of usability for more security...you get the picture.

So how do consumers actually think? Well this diagram summarises the debate from a consumer's point of view:

If online organisations approach their consumer relationships from their own viewpoint they are not servicing all their customer needs. By offering security to those that want it, and not mandating it for everyone, they will be making their online relationships stronger and more profitable.

Posted by Mike Davies at 01:32 PM | Permalink | Comments (0) | TrackBacks (0)

You may have seen the news recently about Open ID and how companies such as VeriSign (along with Google, Yahoo, IBM and Microsoft) have all expressed support for this emerging standard, well here is my take....

Open ID has been around now for a couple of years and with any jump in technology we shouldn't expect adoption by large commercial organisations immediately, so the fact the Yahoo have gone for it is a sign that this technology is reaching an early level of maturity. Other large US based online consumer organisations are expected to follow over time.

It is great to see Yahoo taking the plunge on this and I am fully supportive as this will mean the consumer nightmare of having to remember a different user name and password for every site will disappear.

The challenge for the Open ID community is getting more traditional and risk-averse businesses like the banking community on board.

The reason for this is that banks will be worried that if a consumer's Open ID is compromised at another site then their banking relationship will be compromised. A fair point I must say.

The solution to this? Well 2nd factor authentication, which the banks are rolling out in the UK and is already established in many markets means that the banks retain control of the customer relationship, even if the Open ID account is compromised.

For those of you that don't know about 2nd factor authentication, it is usually achieved with a small token (such as this one) which provides a unique one time password for every time a consumer logs into the site.

Bottom line is that Open ID will be adopted by many other businesses and their consumers, but it will only be adopted by the banks in conjunction with 2nd factor authentication.

Posted by Mike Davies at 09:33 PM | Permalink | Comments (0) | TrackBacks (0)

So, after some arm twisting over a few beers I have decided to start a blog. I work for VeriSign but I have made it clear to the powers that be that this should express my own personal views rather than the corporate line...and guess what they agreed. As I start this I have set my self some guidelines which anyone reading this should set me straight on if I go off course:

This Blog will...

1) ...highlight activities related to Online Identities and Trust for consumers, and businesses which interact with consumers online in Europe

2) ...be my opinion NOT my employer's at VeriSign and will shy away from any post which I feel looks like shameless publicity. Any posts that do, I will highlight clearly as such

3) ...focus on European issues, but highlight related issues on other continents

4) ...not become a "General Security" blog, there are enough of them already

5) ...not get too technical, I want to highlight trends in consumer and business experience in this area rather than get weighed down in technical details

6) ...be updated no less than once a week

7) ...attempt to entertain as well as inform

Mike

Posted by Mike Davies at 11:04 AM | Permalink | Comments (0) | TrackBacks (0)