Why ZenKey Authentication Is A Good Idea – With A Big Design Flaw

Boku authentication integration consumers eCommerce

Five years ago, a merchant might have been able to rely on consumers being patient with a digital commerce experience that was less than perfectly smooth. The technology was still emerging and was still something of a work in progress. Today, that door is pretty much closed. The customer expects processes that are smooth and swift — and if a transaction does not meet those expectations, the consumer will likely continue down the line to the next provider who can give them that experience.

This means authenticating a consumer has turned into something of a tricky and delicate process. At base, customers understand why there needs to be a sign-in before they can start transacting; in practice, they have a finite amount of tolerance for jumping through hoops before they can do whatever they came to do.

As Boku CEO Jon Prideaux told Karen Webster in a recent conversation, passwords are a well-known bust at this point — they are difficult to remember, cumbersome to manage and easily stolen by cybercriminals. Two-factor authentication leveraging SMS (texting) is billed as more effective and slightly less irritating to consumers than passwords — but as an authentication method, it is increasingly not up to the task.

“Two-factor through SMS has gotten the job done, but it is getting cranky at the edges,” Prideaux said. “We do know that it performs better than passwords in terms of protecting transactions, but we also know that for every 10 transactions that get sent out, only nine come back.”

In the last few years, the incredible demand among consumers and merchants has created an intense race to create a password-killing, single sign-on authentication method, attracting the likes of Apple, Google, Facebook and Microsoft. There is a large addressable market, Prideaux noted.

And, as of a little over a week ago, the four largest carrier networks in the U.S. — Sprint, Verizon, AT&T and T-Mobile — decided to jump into the race with the ZenKey, their rendition of a single sign-in service. The move makes sense, Prideaux told Webster, given their vast troves of relevant authentication data. But their strategy in doing it, he noted, may keep ZenKey from igniting — much less reaching its intended potential.

Building a More Zen Authentication Experience 

In many ways, the ZenKey is structurally similar to the single sign-on services (SSOs) that have recently entered the market from a host of big tech providers. Instead of logging in with a password, the user designates the SSO to approve all login requests made from the customer’s mobile device. On the backend, ZenKey verifies the customer’s identity via the multiple streams of identifying data issued from the phone itself during the transactions — IP address, SIM card details, phone number, phone account type and (if biometrics are available) fingerprint or face.

The decision of networks to use their data to jump into the authentication process is an incredibly sensible one, Prideaux noted, as the carrier networks already have access to the best and most reliable data from the mobile device itself.

“Moreover, by being the only ones with access to the SIM card in the devices, they are the only people with access to the secure hardware,” he added.

In addition to knowing how long a customer has been associated with a specific number, the carrier also knows how long they have owned the phone they are using, said Prideaux. If a SIM card tracks a purchase and the name on the transaction matches the name on the phone line, and the customer has been using the phone for the last three years, that tells the merchant one thing. But if the data says the SIM card has only been in the phone for 24 hours, that might be a reason to take a closer look at the transaction, even if the names all match up.

That is why Boku has built its authentication services around carrier data, Prideaux noted — because it offers many reliable, unique and hard-to-fake clues relating to transaction authenticity. It makes all the sense in the world that the carrier networks would look to build a product that leverages that unique data set into a consumer-facing product — particularly, Webster noted, if their broader intention is to create an entire ecosystem of value-added services.

The carriers have spent a long time looking for a way to claim a piece of the transactions flowing through phones — and Prideaux and Webster agreed that building a robust, reliable authentication ecosystem is a plausible entrance point.

Except for one small thing: Joining up with ZenKey has a stutter step that might prove to be a problem. To use it, customers have to download an app.

The Importance of Really Removing Friction 

The point of creating single sign-on authentication is to remove friction for the customer who doesn’t want to have to manage 14 or 15 passwords or stop during every transaction to exchange a six-digit code with the merchant. In the vast majority of cases, consumers don’t like friction.

“Perhaps if it is a very high-value transaction, they want to feel that little bit of extra resistance, because that makes them feel more confident that they are in control of the process,” said Prideaux. “Other than that, we’ve seen consistently that consumers want authentication that is very potent in effect, but mostly invisible. I am not sure there is a great appetite among consumers to download an additional app.”

Webster noted that she would go one step further: For an awful lot of customers, the requirement to download another app means they will never try the service.

That’s why Boku has focused its efforts on using phone carriers’ data, but applying it in the background for merchants so that consumers pass through friction-free whenever possible, and so that a yellow light only signals when something anomalous comes up.

That is what consumers are looking for, said Prideaux, likening the experience to going to a casino. Everyone wants a casino to be very secure, given the large sums of cash lying around, but no one wants to feel like they are gambling in Fort Knox. As a result, the security is very tight when it needs to be — as anyone who has ever attempted to break a rule in a casino can readily attest — but is nearly imperceptible to the consumer unless they are breaking a rule.

Prideaux believes the same is true in the world of consumer authentication: Everyone wants it to be robust, but they want that robustness to come without having to do much additional work.

“That is what the future of mobile authentication looks like, I believe: making the process far into the background, but really secure,” he said. “Because the process that is in a customer’s face or that makes them work hard doesn’t make them feel reassured — it makes them feel irritated.”