Encap Puts Passwords On Notice With Authentication Solution
ECommerce, though constantly evolving, is still a system that provides an established user experience. Much like we've come to expect using PIN numbers for debit card purchases, we as Internet users trust traditional logins and passwords to provide security on the web.
Still, that doesn't mean there aren't companies looking to shake us out of our complacency and improve on this system.
Norway-based authentication provider Encap is one such firm. The company's website promises "an authentication revolution," one where payments can finally "break free from the constraints of traditional PC-based solutions."
Once more, Encap says that its authentication solution is easy to integrate, low-cost, safer than one-time passwords and just as secure as tokens. In other words, it's a solution aimed to appeal to financial service providers that want to offer both security and user experience in a way that makes business sense.
But will Encap’s unique pitch be enough to spur financial institutions to action? To find out more about how Encap’s solution could alter the future of online payments and web security, we spoke to CEO Thomas Bostrøm Jørgensen.
PYMNTS.com: This is the first time we've spoken with you at PYMNTS.com. To start, would you introduce Encap to our audience and talk about the work your company has been doing?
Thomas Bostrøm Jørgensen: We are a mobile authentication specialist, based in Norway. We work with partners, and directly with customers, to bring software-based authentication to their users in a way that boosts adoption of financial services. In the last year, we’ve increased our customer base tenfold, opened a new office in Palo Alto, and this month we announced a new round of funding. Our customers and partners include EnterCard, Sparbanken Vest, Evry and Fujitsu.
What do you see as the biggest problems with current one-factor and two-factor authentication methods? Perhaps touching on user experience, security and cost?
One-factor is insecure. A password is no longer enough to protect valuable information. The current trend that asks users to select ever more complex passwords, and change them regularly, doesn’t do a great deal in practice apart from frustrate users, who can’t be expected to carry around a bunch of complicated passwords in their heads
Two-factor is much more secure, but there are big problems with the approach many of the big banks and tech giants such as Facebook and Microsoft are rolling out. Hardware tokens and text messages, the method mostly used to get a one-time password to the user, cost money. This may be pennies or even part of a penny each time, but it soon adds up. Users resent carrying around an extra piece of hardware, especially when they are already carrying a mobile. There is also the problem of "context switching." These methods of authentication take the user away from the app, and make them copy and paste. Overall, it’s a poor experience.
Users should be embracing the extra security that two-factor brings, but instead a poor user experience is hindering adoption. Many make their two-factor authentication opt-in, despite it costing them a great deal of money. If they truly believed that this wasn't a trade off between security and user experience, it would be mandatory!
So, explain to us how Encap works around or improves upon these problems. What makes your solution different?
Two-factor authentication is something you have and something you know. A great many people who would dislike having an extra piece of hardware foisted upon them happily carry around a smartphone in their pocket. With Encap, the smartphone becomes the "something you have" and a PIN the "something you know." Developers can embed the solution in an app, so there’s not context switching. So, for example, when a user wants to transfer money from their bank account while on their laptop, their mobile phone will awaken and ask for a PIN through a branded interface. There are no upfront costs for the developer, which means smaller players can offer a better solution than many tech giants. So far, there has always been compromise between security and the user experience. - Encap offers uncompromising speed, simplicity and banking-grade security.
You've written that one-step and two-step authentication options - those that rely on tokens or otherwise - won't work "long term." When do you believe we will see tech, payments and retail companies finally move away from these options in mass?
Users don’t know yet that you don’t have to choose between a good user experience and good security. The move to a superior solution will happen when it starts to really affect the bottom line - a better online banking and mobile banking service is now just as important for customers as good customer service and competitive deals. The feedback from our customers has been borne this out.t – Oon average our customers report only five support calls about authentication for every 10,000 users using our solution.
Speaking about the payments industry more directly, what kinds of changes do you think your company's two-factor authentication can spark, and how will this improve security and user experience online?
Passwords are near -useless, and the tools criminals use to steal them are only going to get more sophisticated. More complicated and secure methods of storing passwords are only going to prolong a pointless arms race. However, passwords have been the norm since the birth of the computer age, and getting people to give them up will be very tricky.
The outrage that is sparked any time a service such as Facebook or Gmail brings in minor change should teach us an important lesson. Users may want better security but they want their experience to remain constant and hate change. The answer is to effect radical change but keep it simple and transparent to the user. The fact that Facebook, Google and Microsoft keep their OTP-based two-factor authentication optional, rather than mandatory, shows that they understand that the solution they offer is suboptimal as it will negatively affect the user experience. What’s needed instead is two-factor that feels like one-factor, and that’s what we deliver.