Multi-Factor Authentication, and other musings
As I waded through my list of RSS feeds on the plane. . .I have to admit that I had fallen behind in some reading. . .I happened upon a previously flagged post by Bruce Cundiff of Javelin Strategy. The post, which is located here, is a discussion of whether commerce specific biometrics have failed as evidenced by the PayByTouch financial woes and their empty booth at the BAI Retail Delivery Conference. (As an aside, although this wasn’t the only empty booth. It was, by far, the most obvious.)
So is commerce biometrics a failure moving forward? I agree with Bruce that the answer is both "Yes" and "No". When discussing the "No" position, Bruce says:
No: Other alterations to the payments landscape, including contactless, have met with similar difficulties. It’s not possible to limit this failure of additional technology solutions deployed at the point of sale solely to biometrics. There is an inherent inertia among merchants if they can’t see a viable business case and immediate ROI for implementing these technologies.
Consider that statement in light of the recent discussion regarding the TJX data breach. In the scenario of TJX, the root cause of the issue was not the instrument, per se, but the storage of the data associated with that instrument.
With that said, a traditional credit card is, basically, Zero-factor authentication. You have the number, or the card, or the number skimmed and written to a blank, or (you get the idea) and are then able to initiate a purchase. Whereas, in the scenario of biometrics, the transaction (in the case of PayByTouch, ACH) is tied to something you "are" rather than just something you possess. Multi-Factor authentication often involves not only something you "have" but also something you "know" and something you "are". (Most implementations are some combination of the above.)
And yet, as compelling as these are from a security perspective. There is still the need for a "viable business case and immediate ROI." As consumer commerce security gains more of a media focus, there will be a push for new implementations and methodologies addressing the issues. However, each of these will have to overcome the cost associated with deployment. For example:
- Hardware Deployment and Updates
- Software Updates
- Consumer Marketing and Education
- Consumer Distribution (if new instrument)
- Acceptance Cost
- Traditional "Go To Market"
This is, in part, why the EMV methodology (also known as Chip & PIN) hasn’t been adopted in the US. In my opinion, the above issues can be addressed in several ways. Perhaps the easiest, but most immediately expensive, would be to ensure the instrument can be implemented with measurable ROI for merchant and a consumer story that is compelling. Or, consumer security schemes and instruments can become service-oriented. Considering the wide-spread adoption of SaaS (or Software + Services) methodologies, there is opportunity for commerce specific security schemes to adopt technology to decrease the difficulty of widespread implementation and adoption.
(seat 11A from DEN to TPA)
November 28, 2007