I was sitting at the table of a cozy riverside restaurant with three members of congress, part of a 23-strong delegation visiting Israel in August. Led by Democratic whip Stanley Hoyer, the group of newly elected lawmakers wanted to hear all about the Start-Up
Nation, and I was invited by the American-Israel Public Affairs Committee to do just that.
I told them I’m now at an amazing new start-up leveraging cognitive-behavioral analytics to provide biometric authentication and advanced fraud detection, and that until recently I worked for a big security company providing one-time-password tokens. The
congressman to my left, from California, said he knew what tokens were. “We all got these things, right? They’re supposed to let you in when you want to work from home and access your virtual space at Congress. Never tried it really”.
The Michigan representative to my right scratched his head. “Yeah, I think I know what you mean. Can’t remember where I put it. Maybe in my briefcase? Or in the office”. The congresswomen from Hawaii didn’t remember the token at all.
After the main course I was asked to address the crowd and talk about our start-up. I mentioned again my background, and did a quick poll; out of the group, no one actually used the security token yet.
I did this once more a week later, with a group of 27 Republican members, again freshmen, led by Majority Lead Eric Cantor. More-or-less the same situation. They were all provisioned with strong 2-factor authentication devices; no one did the extra effort
of getting themselves familiar with it enough to use it.
When I dug deeper, the main conclusion was that it was perceived as some sort of small obstacle, something people need to ‘figure out’ – and because they don’t HAVE to, they simply don’t.
I just finished a meeting with a local Venture Capital firm interested in investing in
BioCatch. I told the guy about my experience with the congress members. “And that’s for desktop access. Imagine what would happen if this was required for mobile access”. This got me a smile.
“Funny you mentioned it; two weeks ago I downloaded the mobile banking app of my bank. It needs the same 3 elements as the online banking: a user key, a password, and the account number. The password I remember, the account number I know, but for the life
of me I can’t remember the user key. When using the desktop it auto-fills it, but it won't on my iPhone. So I can’t really get in. I’m stuck outside”.
An hour later I talked to another VC on the phone, and mentioned that ‘locked out’ experience. “You know? It have the EXACT same problem. Different bank, but they also ask for three things and I don’t remember the user key so I’m not using the mobile app.
Just the online banking, because it auto-fills the user key”.
3 static data elements. Zero security, and two people I talked to just told me they’re not using mobile banking because of it.
My mom called me in a bit of a panic. “I can’t access my email”, she said. “It told me something about a text message with a code”.
Ah. The famous two-step verification. It’s supposed to be easy, but then my mom isn’t the most technology-savvy person on earth. She didn’t figure it out, and I’m not blaming her. What sounds like a really nice, convenient user experience that all of us
can understand and appreciate, is a sheer cliff blocking regular access to the account for those not accustomed to the new security.
I went to her place, and helped her out. “You’re not supposed to get too many of these”, I said. “It’s risk-based: for example, if you come from a new device or new Internet connection, it might suspect foul play and want to do an extra authentication. Don’t
worry, if this happens again just call me and I’ll walk you through it. Anyway, it says most people won’t get the second verification more than 3 times in their lifetime”.
It happened 4 times that week. And then I noticed everyone is now using this: Gmail, Facebook, Yahoo… and wondered how many people are stuck right now because they can’t figure it out, or their battery is dead, or their phone number is not updated at the
website. Which reminded me of something a UK bank told me; whenever someone transfers money to a new destination account, they send a text message with a one-time verification code to their mobile device. Trouble is, 7% of these verifications fail, and the
user never completes the transfer. They may call the bank or go to the branch – which creates huge operational costs.
And not that the out-of-band authentication is airtight; fraudsters always find creative ways to bypass it.
So… Bottom line. We all know that authentication based on something the user knows (passwords, memorable words, secret questions) are not working, and users tend to forget them or use the same information everywhere. We also know authentication based on
what the user has – the device, a token, a phone – can be compromised in dozens of clever ways involving a mix of malware and social engineering. What everyone is now beginning to grasp is that all of that security which isn’t really working, also has a dark
side. It creates FRICTION.
Friction is hurting the business. It stops good people from doing what they want, which is to get in, do their business, and go out. A growing number of people don’t know how to use the security, or can’t use it for some reason, and are locked outside. Other
folks simply choose the path of least security: they’ll avoid the secure channel altogether, and go for a channel that is far more costly to maintain. This is getting painfully clear in the online channel which over the last decade has moved from password-only
to a plethora of additional authentication controls; this is even more problematic in mobility, because users have zero tolerance for anything that stops them from quickly doing their business. Be it in mobile banking or accessing a corporate mobile app, protecting
mobile applications using the good old strong security is not an option anymore.
The industry wakes up to an ironic realization: cybercriminals are not their biggest problems. The security piled up over the years to stop them is becoming an even bigger issue. The dark side of security – stopping good business – is growing from a small
nuisance into a major challenge, and more and more security teams are scratching their heads. Your users – members of congress, Venture Capital professionals and retired moms – all want to do business securely, but the friction caused by inconsiderate security
is stopping them. Which is why the new security doctrine developed by the industry needs to take into account not only the emerging threats that traditional security fails to prevent, but also the growing friction. Security has a dark side – so the race for
brighter, frictionless alternatives is now on.