When we talk about the authentication space there are really 3 things we have to balance. It boils down to 1. Real security, 2. Perceived security, and 3. Price. What we’d hope is that all players in the space would have strong real security. I mean, that’s the business we’re in, isn’t it? But when it comes down to it, not all login systems are created equally.

And unfortunately perceived security combined with an effective pricing model can equal success, regardless of the level of actual security. What that means is the industry is open to clever fox-types who can swindle their way through a sales presentation based on slick ideas with little real security provision. Yikes. And our consumers are left vulnerable, but worse – with the perception that their information is secure.

And then there’s me. And my colleagues. See, we’re sticklers for real security. We’re those geeky types who aren’t satisfied with merely protecting our clients authentically from current threats while providing perceived security through positive user experience. We’re the crazy guys who are determined to get it right, without cutting corners. We have this crazy notion that we won’t stop improving our technology as long as there are still hackers out there finding ways to compromise consumers. Of course, that means we have a team of geeky types just like us on payroll. And our pricing strategy can’t compete with the fake-it-till-you-make it guys. We believe you get what you pay for, and even though our prices aren’t much higher than the other guys, cost-cutting measures can mean that the contracts go to the cheap solutions, even when those solutions offer cheap quality.

That’s ok though. We’re creating a safety net. When the merchants out there are disappointed with their lack of actual security, when the hackers seem to be winning the battle, we’re here to catch you when you fall. It’s like the commercial for Office Depot when a barber sees a competitor open shop across the street for “$6 haircuts.” Our barber puts up a sign saying “We fix $6 haircuts.” That’s us. We fix $6 haircuts authentication.

The debate on usability vs. security somehow always leans towards usability as the obvious choice (we all like “simple”).  Yet every day, all around us we are faced with the very same dilemma:

• Airport security. Yes, I want to just show my ticket at the counter and go straight to the airplane door … no frisking, please.  Unfortunately, not all people are getting on the plane just to travel from A to B.  Some of them try to carry explosives on board.  Our concern for safety will allow for more stringent access control to the planes.

• Government. The Bolshevik revolution started with the social ideal of universal equality.  The Communists believed that every man is inherently good, if he was only given the right tools and opportunities.  Give everyone an equal amount of food, money, clothes, housing, work, and paradise will descend upon us.  Of course, the masses should be defenseless because the State will protect them.  Being different or more gifted than others is also uncool, because you just make the others look bad (remember – universal equality).  If you had to live through that atrocious Communist experiment, would you rather have a meager, but stable and predictable existence where most of your basic needs are met, or would you chose total freedom and personal responsibility for your own success (and failures).  It is incredible, but usability (so to say) wins here too.  People want it easy when it comes to government – basic needs trump individual freedoms.  In a recent poll, 60% of Russians still regret the break up of the Soviet Union.

• Online Privacy. There’s been a major paradigm shift in how our society views personal issues.  We now easily discuss very private events and feelings with hundreds of our Twitter and Facebook followers.  Our trust in online privacy created a new (false) sense of security in believing that we still control the information. How much inconvenience would you bear (in terms of access security) to make sure that your social networking accounts are never compromised and misused?  My LinkedIn account is connected to many people I respect and appreciate.  The last thing I want is for someone to hijack my credentials and discredit my reputation or my network.

-       Zack Whittaker asks “How would you fix it?” (the password clutter vs. security issue).

I’d like to suggest that G.K. Chesterton’s response to the famous question “What is wrong with the world?” applies in this case.  Chesterton’s response was written in a form of a letter to “The Times” which initially posted the question:

Dear Sirs,
I am.
Sincerely yours,
G. K. Chesterton

What is wrong with the username and password?  I am.  The user is.  As long as the user has the ability to share authentication credentials, he is vulnerable to social engineering (phishing) attacks.  We assume (much like the Communists did) that the user is generally smart and responsible . . . we just need to build higher walls for the enterprise technology or web services (firewalls, etc.).  I agree that the usability has to remain high, and mutual authentication, specifically graphic passwords, is one of the few security approaches that increases access security, while targeting the weakest link – password shareability.  When using graphic passwords, the user has no ability to easily share his password by typing it, disclosing it on fake websites, sending it by email or even writing it down on a piece of paper.

Our use of technology in everyday life has changed how we live now, 45 years after the first mainframe computers were built.  Yet, we continue to use a 1960s access control mechanism.   Passwords have evolved into the 21^st century and it’s time to benefit from it.

In the last two years hackers have stolen over $40 million from small to medium enterprises that typically don’t have the resources or tech expertise to protect themselves from such attacks. They often do business with small banks and credit unions, which are typically considered “low hanging fruit” for hackers. Channel-Pro SMB interviewed our very own Stuart Morris about this issue, and the write-up points out some key issues – like the impact this can potentially have on small to medium businesses.

The solution the feds propose is a dedicated computer used only for banking. They recommend it because malware is often installed when surfing the net, gaming, emailing, and downloading programs. It isn’t fool-proof though. Crooks are smarter than we like to think and a computer dedicated to online banking isn’t a surefire way to stop them. And logistically, unless we’re talking about sole proprietors, it becomes both a hassle and prohibitive expense when every person who needs access to banking information requires a separate computer to do so.

Hey! I have an idea! What if banks, e-commerce sites, and other agencies requiring sensitive login procedures found a way to protect their users and consumers from this type of fraud? Is it possible? Is it plausible? What is this, 1976? Of course it is! And it has been for years.

The only real way to stop keyloggers is to stop typing passwords. You know how you use your mouse to click on buttons on the computer screen?  There’s no reason banks couldn’t use a clickable keypad on the screen to replace password typing, or even credit card entry. And guess what? It’s already being done. There’s a system that first recognizes the user and generates a customized keypad for them. If your keypad doesn’t look right you know you’re on a fraudulent site. When you see the keypad you recognize, you use your mouse to key in your password. Easy, breezy. And keyloggers don’t have a chance. (Neither do man-in-the-middle, man-in-the-browser, or any host of other hackers.)

Wanna give it shot? You can. Go ahead – try it now. I’ll give you a buck – a whole greenback for the minute you spent – if you think it’s too hard to use.

In light of this interesting story, I wonder what fate awaits the author of this video should he be the proud owner of a Lockface USB security token.  The device itself depends on the ability of the webcam to recognize the person, which would serve as an authentication credential for site/system access.  However, if a computer you are using does not have a webcam (or fails to “see” you as in this video), defying all logic, the token reverts to a simple password entry . . . still wandering what the whole point is . . . why spend $110 for the privilege of typing your password? Especially when the guy who lifts it from you can revert to his well-honed tactics of password hacking.

He proposes, based on extensive knowledge of the market, that most IAMs are focused on one of two things – either purely securing access to data, or on the other hand, understanding all aspects of the access event. I think we’ve got something a little different going on here.

When I walk through the office the buzz I hear from my colleagues takes on three very distinct tones.

1. Usability. Yes, real security is why we’re in business. But perceived security is what sells solutions and makes them popular. If our clients’ customers are happy with what they see and how user-friendly it is, we’ll succeed. Of course, that assumes that we do a rock-on stellar job of actual security, but hey, in my office that’s a non-issue. What we’ve got rocks the house.
2. Staying ahead. We can stop man-in-the-browser attacks. We have a handle on phishing, in all its many varieties. Key-logging – done. Password-stealing malware? Bam! Take that! (as Batman would say). But what’s next? What are the criminals working on next, and how can we beat them to the punch? For us, it isn’t enough to protect our clients from today’s problems. We want to protect them from tomorrow’s too.
3. Your gramma, or Gram, as we like to call her. Can she use our product? Can she do it easily? Can someone trick her into using it to divulge sensitive information? Does this protect Gram? Does it do it in a way that will leave her satisfied at the end of her transaction, looking forward to her next online interaction? See, knowing that Joe Techie can use our system means nothing to us. He can do all sort of things online, and if he has issues he knows where to go for help. We want to make sure Gram is taken care of, happy with her interaction, and ready to tell all her friends that she doesn’t know what all this hullabaloo is about – her bank (or favorite online store) is easy to use and entirely worthy of her trust.

That’s what we talk about in our office. Well, that and the new curry place down the street. They’ve got a mean Tikki Masala. Ok, fine. So we also talk about which fair trade coffee we’re going drink this afternoon and who’s going to the cricket match this weekend. But that’s just us.

They could approach it the way AT&T did when they realized that 3% of users (iPhone owners) exploit 40% of bandwith – AT&T started looking for ways to discourage iPhone users from accessing the data services they so love. Instead of using the situation to build business and expand services (which is what any strategically driven company would do) AT&T looked for ways to hamstring their customers.

Banks could take the same approach, right? Encourage their customers to use online banking less. Scale back online services. Provide second-rate security. Promote fear in their customers.

Of course, that would mean technological dinosaurs that take the path of least resistance would inevitably lose customers to banks that provide the online services their customers want. Penalizing users for creating business process conundrums does nothing but propel corporations into decline.

So maybe, in an ideal world, banks might think to increase security to keep up with online threats. Novel idea, right? In fact it is, in a way. As online risks have grown, the majority of banks have done little to keep up with the threat level. Sometimes it’s easier from an operations perspective to reimburse money lost through identity fraud than it is to actively protect against it.

Come on, folks. Are we really lazy enough to believe that doing nothing and suffering attack is better than proactively adopting solutions to protect our customers? Check out Tricerion’s SafeLogin. It’s simple. It’s elegant. It’s easy from the bank’s side and seamless to the user.

Don’t make the mistake AT&T did. Move with the market. Take the lead. Get your groove on.