Entersekt: Why Authentication Needs A Standard

Authenticating a transaction can be a widely varied experience.

Call centers, particularly those dealing with financial transactions, have a strong need to be sure that the person on the other end of the line is actually their customer. The fact that most firms know that, and set up measures to properly authenticate those customers, is a good thing, said Chief Commercial Officer Dewald Nolte of Entersekt in a recent conversation with Karen Webster.

The fact that every institution seems to use a different authentication method, on the other hand, is less useful.

Sometimes, that cashes out in semi-amusing ways. Webster related a story of trying to figure out purchases on a credit card statement that entailed two different authentications by two entities using completely different methods in under five minutes. Other examples, Nolte noted, included customers who were asked to show funny notes they’d written, make funny faces or even hold up that day’s newspaper as proof they were a real, live person.

That, Nolte said, is the fun side. The less fun part is that customers who go through so many variations on authentication are left unable to question when one is going wrong.

“Fraudsters can take advantage of the fact that authentication is all over the map,” Nolte said, “especially if they manage to intercept legitimate calls. Customers don’t know when to ask ‘when do I not trust this anymore?’ because every time they do an authentication, there are different requirements, and answering a lot of personal questions doesn’t strike consumers as odd.”

That’s bad for consumers, bad for the development of digital channels for commerce and bad for financial services in general because it will act as an inhibitor on what the market can develop. The goal, Nolte said, is to find a way to standardize the way authentications are done, since it could create opportunities and make things much easier on users.

Friendly Friction

The dominant conversation around payments and commerce when it comes to authentication matters (among other things), Nolte noted, is that consumers hate friction and can’t bear to be exposed to it. Thus, friction needs to be rooted out at all costs.

That is true, he said, but with a significant asterisk attached. Consumers can be very tolerant of friction when they perceive it as serving a useful purpose and if the tasks they are made to undertake aren’t terribly onerous.

“The user isn’t even likely to perceive it as friction at all,” Nolte said, “because it is something they know, and it is something they can become accustomed to. That actually can be something they find reassuring in the process because it always goes through the same way and in the way they expect it to.”

Consumers get frustrated when the friction causes an interruption in their activity in an unpredictable or unexplained way. He noted that he had a friend who tried to sign on for a Netflix subscription with a card that was inexplicably declined. He didn’t stop to try and figure it out, but moved on to the next card in his wallet and was watching a movie shortly thereafter. The next day, he got a call from his bank, noting that his card was in a batch of compromised cards that it had deactivated.

That next-day explanation after the client was inconvenienced, Nolte said, means a lost the client. From then on, the friend used the card that worked more reliably, finding a way to authenticate a transaction more useful than spontaneously having the plug pulled on the card.

When the trusted entity is a bank, they are reaching out to the customer to say,“I have you, I am protecting you and someone cannot use your card or account without your knowledge.”

Get it right, he noted, and a working process makes consumers more loyal.

“If you get it wrong in the [state] we are in (this is the era of instant gratification), that customer is probably gone,” Nolte said.

Doing It Better

There are many ways to standardize and simplify the authentication process for consumers, ways that do not compromise its security or strength. These aren’t complex things, Nolte noted. A customer who has dialed in and been authenticated by a bank should be able to port in an authentication if they are transferred to a merchant. That is not terribly difficult to pass along. The mobile device itself contains a massive amount of potential for streamlining security, while still maintaining its strength.

“The way we see the industry moving forward is to embrace the fact that the mobile device is a very powerful device that the user has on them at all times,” Nolte said, “and to leverage all that processing power to really enhance the user experience.”

There are a lot of tactics to get there, he noted, but when businesses can lock in on the device itself and verify that “that mobile is the right mobile,” the industry itself will be able to make a great leap forward. The industry also needs for organizations that reach out to consumers to be able to verify themselves as well. Fraudsters spend all kinds of time pretending to be groups they aren’t — the IRS, the bank, the head of a lottery organization.

The goal, he said, is to create a reciprocal relationship of trust between both parties, and bring that to each conversation, user and institution so that everyone involved feels certain of who is on the other line. The mobile device is a strong authentication factor, one that has a rich future in creating the right context to, perhaps, create that trust.

What’s Next

Humans, he told Webster, are creatures of habit, who can tend to make change at a slower pace than most people want. A certain number of early adopters jump at novelty and, at some point, a tipping point is reached and everyone else runs along for the ride.

Authentication, with the regulatory push behind it, is getting to the point where the changes are beginning to happen. Mobile, he noted, is becoming mandatory in some areas, where the regulation is more stringent insofar as it is becoming the most usable tool.

“I would be surprised, in the next three to five years, [if] we don’t reach that point with mobile authentication,” Nolte said.

There are and will be stumbling blocks to progress. The majority of authentication mechanisms in place are still one-time passwords, despite their many flaws, but the world is moving away from that.

“It is considered good enough by a lot of banks and organizations because you only need to have someone’s phone number to use it,” Nolte said. “But at the end of the day, the use cases will drive real adoptions. SMS is good enough for certain kinds of events, but as we get into more complex emerging use cases, they won’t work.”

As the scenarios become more complicated, and as customers want to do more on mobile that requires they be authenticated, this will drive the adoption and push for more advanced authentication methods. In addition, as open banking becomes more of a global norm (and as consumers desire to consolidate more actions across providers), banks, FinTech firms and the like will encounter more authentication methods and vote for the ones that work better.

“Consumers will ultimately choose,” Nolte said. “They’ll choose the use cases they most want to pursue, and they will choose the authentication methods that increase their comfort, without confusing or [complicating the] transaction for them.”