Endava has been helping a UK IT industry association with some thought leadership pieces recently, and I’ve been permitted to share my contribution before the report is published.
We’ve contributed to two essays, and I’ll post a link on this site when they are released in early 2014 . This is the second part of two posts – you can read the first one on user experience for banking customers here.
Identity & Authentication – Time for a Financial Services digital services passport?
The answer here lies in three distinct areas:
- The Authentication Conundrum
- The Internet Identity Crisis
- The Organisational, Political and Social Resistance to Single Sign On.
The Authentication Conundrum
Let’s take one of the biggest retail banks in the UK. To log into their online banking systems they have a variety of authentication methods:
- Website which requires a physical security device to create a one-time numeric password
- Website for their credit card product which requires the user to enter specific digits of their password
- Telephone banking which requires a requires the user to enter specific digits of their telephone banking password
- Mobile app which requires a 5 digit numeric password
- ATM machines which require a 4 digit numeric password
- Message board/ forum which requires a username (none of the other services require this) as well as a password with a minimum of 8 characters with a combination of numbers, symbols and mixed case letters.
These methods are not only inconsistent, they negatively impact the users’ experience of the online servicing channels.
Organisations need a unified authentication standard. I understand that an ATM requires a physical card, so it can have the easiest authentication of only 4 characters, but why does the message boards (which have no account access) need to be more complex than the mobile banking app?
The Internet Identity Crisis
In order to trust online retailers with our private details, we use SSL security certificates. Certificates are not just for encryption, they are a means of ensuring we are buying from a company who is who they say they are.
It’s now time for the other way round – for customers to prove who they are.
If a user books a room on Air B&B, they don’t want to stay at a mass murderer’s house, and the house owner doesn’t want a mass murderer staying with them either. Both need to have a level of trust on the network – usually achieved by previous transactions being validated.
I have an eBay account with 100% positive feedback amassed over a few years and over 500 ratings, both buying and selling. So when I join a site such as TripAdvisor, or Air B&B, that eBay ‘score’ should count for something. I’m the same person. And this is the Internet’s Identity Crisis.
The Internet needs a centralised Single Sign On system to link all accounts into a common identity. Facebook and Twitter both have their own systems in place (Facebook Connect and Sign in with Twitter), but the issue here is about Trust. I don’t trust those two organisations to log into my bank, tax or healthcare providers.
I do trust my bank though. And so do most people. Whilst the media attempts to discredit banks, there aren’t mass cash withdrawals from banks because the public fundamentally does trust them.
In my view, to solve the Internet Identity Crisis, banks should build a Single Sign On system which uses similar OAuth based technologies to the social networks which can be used by any third-party website. The system provides authentication to the website, but won’t allow any other details to be exposed unless the user explicitly permits.
Only then will the Internet Identity Crisis be solved.
The Organisational, Political and Social Resistance to Single Sign On.
Technically, Single Sign On has been solved by a number of organisations. This leaves three resistances to Single Sign On: Organisational, Political and Social.
Traditional organisations are built in silos. When one part of an organisation builds a system, it’s uncommon for that part to comply with existing authentication systems unless specifically mandated, which is also uncommon. This leads to the issues outlined in the retail banking example above, with six systems, each with different passwords and password complexity.
Political resistance is encountered where a specific authentication system isn’t adopted because of perceived risk or perceived non-standard technical constraints.
Social resistance are attention grabbing headlines such as the one shown above. These headlines undermine the credibility and security of large-scale websites and digital service providers, creating resistance to adopt new technologies. And this doesn’t help anyone.