When we talk about the authentication space there are really 3 things we have to balance. It boils down to 1. Real security, 2. Perceived security, and 3. Price. What we’d hope is that all players in the space would have strong real security. I mean, that’s the business we’re in, isn’t it? But when it comes down to it, not all login systems are created equally.

And unfortunately perceived security combined with an effective pricing model can equal success, regardless of the level of actual security. What that means is the industry is open to clever fox-types who can swindle their way through a sales presentation based on slick ideas with little real security provision. Yikes. And our consumers are left vulnerable, but worse – with the perception that their information is secure.

And then there’s me. And my colleagues. See, we’re sticklers for real security. We’re those geeky types who aren’t satisfied with merely protecting our clients authentically from current threats while providing perceived security through positive user experience. We’re the crazy guys who are determined to get it right, without cutting corners. We have this crazy notion that we won’t stop improving our technology as long as there are still hackers out there finding ways to compromise consumers. Of course, that means we have a team of geeky types just like us on payroll. And our pricing strategy can’t compete with the fake-it-till-you-make it guys. We believe you get what you pay for, and even though our prices aren’t much higher than the other guys, cost-cutting measures can mean that the contracts go to the cheap solutions, even when those solutions offer cheap quality.

That’s ok though. We’re creating a safety net. When the merchants out there are disappointed with their lack of actual security, when the hackers seem to be winning the battle, we’re here to catch you when you fall. It’s like the commercial for Office Depot when a barber sees a competitor open shop across the street for “$6 haircuts.” Our barber puts up a sign saying “We fix $6 haircuts.” That’s us. We fix $6 haircuts authentication.

He proposes, based on extensive knowledge of the market, that most IAMs are focused on one of two things – either purely securing access to data, or on the other hand, understanding all aspects of the access event. I think we’ve got something a little different going on here.

When I walk through the office the buzz I hear from my colleagues takes on three very distinct tones.

1. Usability. Yes, real security is why we’re in business. But perceived security is what sells solutions and makes them popular. If our clients’ customers are happy with what they see and how user-friendly it is, we’ll succeed. Of course, that assumes that we do a rock-on stellar job of actual security, but hey, in my office that’s a non-issue. What we’ve got rocks the house.
2. Staying ahead. We can stop man-in-the-browser attacks. We have a handle on phishing, in all its many varieties. Key-logging – done. Password-stealing malware? Bam! Take that! (as Batman would say). But what’s next? What are the criminals working on next, and how can we beat them to the punch? For us, it isn’t enough to protect our clients from today’s problems. We want to protect them from tomorrow’s too.
3. Your gramma, or Gram, as we like to call her. Can she use our product? Can she do it easily? Can someone trick her into using it to divulge sensitive information? Does this protect Gram? Does it do it in a way that will leave her satisfied at the end of her transaction, looking forward to her next online interaction? See, knowing that Joe Techie can use our system means nothing to us. He can do all sort of things online, and if he has issues he knows where to go for help. We want to make sure Gram is taken care of, happy with her interaction, and ready to tell all her friends that she doesn’t know what all this hullabaloo is about – her bank (or favorite online store) is easy to use and entirely worthy of her trust.

That’s what we talk about in our office. Well, that and the new curry place down the street. They’ve got a mean Tikki Masala. Ok, fine. So we also talk about which fair trade coffee we’re going drink this afternoon and who’s going to the cricket match this weekend. But that’s just us.

They could approach it the way AT&T did when they realized that 3% of users (iPhone owners) exploit 40% of bandwith – AT&T started looking for ways to discourage iPhone users from accessing the data services they so love. Instead of using the situation to build business and expand services (which is what any strategically driven company would do) AT&T looked for ways to hamstring their customers.

Banks could take the same approach, right? Encourage their customers to use online banking less. Scale back online services. Provide second-rate security. Promote fear in their customers.

Of course, that would mean technological dinosaurs that take the path of least resistance would inevitably lose customers to banks that provide the online services their customers want. Penalizing users for creating business process conundrums does nothing but propel corporations into decline.

So maybe, in an ideal world, banks might think to increase security to keep up with online threats. Novel idea, right? In fact it is, in a way. As online risks have grown, the majority of banks have done little to keep up with the threat level. Sometimes it’s easier from an operations perspective to reimburse money lost through identity fraud than it is to actively protect against it.

Come on, folks. Are we really lazy enough to believe that doing nothing and suffering attack is better than proactively adopting solutions to protect our customers? Check out Tricerion’s SafeLogin. It’s simple. It’s elegant. It’s easy from the bank’s side and seamless to the user.

Don’t make the mistake AT&T did. Move with the market. Take the lead. Get your groove on.