Improving Customer Authentication
Peter Tapling
President and CEO – Authentify
Blake McDaniel: I'm Blake McDaniel with the Federal Reserve Bank of Atlanta, here with Peter Tapling, president and CEO of Authentify. Hi, Peter. How are you?
Peter Tapling: I'm fine, Blake.
McDaniel: With your entrepreneurial and computer science background, why have you decided to focus on improved customer authentication?
Tapling: Well, I started my career in application development, and all of the very interesting conversations happened around who the person was who was actually engaged in a transaction. And so, through the years, I've just been attracted to this problem because it is so multifaceted. As fortune would have it, as payments have taken off and the Internet has taken off and things have gone mobile, it becomes a bigger and bigger problem, which is more engaging and more interesting.
McDaniel: So what do you see as the biggest obstacles for businesses to implementing enhanced customer authentication, and how do you see these businesses overcoming those obstacles?
Tapling: One of the biggest challenges is change. The attacks change, what bad guys are doing to breach systems changes, and what customers are willing to do changes. And if you look at the banking industry today, what we expect the consumer to do is significantly more involvement than what we expected the consumer to do in the past.
So the challenge that institutions have, and one of the reasons forums like this are great, is to be able to try to—I don't think we'll ever get to a situation where there will be one authenticator for individuals that's used universally, but to the extent that we can give the consumer a consistent experience, I think, everyone, the whole economy, the whole ecosystem will benefit.
McDaniel: Right. And I think you also focused on something to that effect in your presentation, though, and perhaps the converse view of that, where you spoke about the fact that a ubiquitous form of authentication might even make that a wider surface area for fraudsters to target.
Tapling: Yes. The phrase I used was "attack surface." Right. So bad guys are going to try and do bad things forever. Banks hold money, bad guys want money. So whatever mechanisms we put in place, they are constantly searching for ways they can breach those mechanisms. So if you choose one way of doing something, and that one way breaks, then it's broken for everyone.
So earlier I answered the question and said that you want a good customer experience and to be as consistent as possible, but there is some benefit in having those things be somewhat different.
McDaniel: As long as it's not burdensome to the customer.
Tapling: Yes, and that will become an issue of customer choice. Over time, customers will choose to use some things versus other things because of the experience.
McDaniel: So, given the regulatory immunity for consumers, what do you see as the best way to encourage consumers to use safe practices in payments?
Tapling: Certainly, consumers do get a lot of protections from Regulation E. If I drop a 20-dollar bill in the sewer, I've dropped the 20-dollar bill and I don't have it, right? The same is not true necessarily of electronic transactions. That said, I believe that those regulations have been good for the overall economy. As we have grown through the Internet age, I think that Reg E and zero-liability programs and things like that drastically increased the use of these electronic payment mechanisms for consumers.
The direct question you ask is, "What can we do to incent consumers to play in the game?" At the end of the day, it's about ease of use, privacy, and safety. So things that are easier, things that the consumer perceives gives them better privacy, or things that the consumer perceives gives them better safety—all within a balance—are things that the user will do. Earlier we talked about, "What can businesses do?" Well, they're going to be the ones that offer these security mechanisms, and then the consumer is going to choose which of those they want to use. And again, there is a market here, essentially, and things that turn out to be used a lot by the customer, you'll see used a lot more.
McDaniel: So, given that, do you think there is a one-size-fits-all approach to consumer authentication?
Tapling: No. There are very few things in your life, if you think about it, that you protect in only one way. I talked about cash being something that's very simple for the consumer. Well, many people will carry cash in two or three different locations when they travel so that if they get knocked over the head and somebody steals their wallet, there's an extra hundred dollars sitting in their suitcase.
One of the other themes of the conference was "layering," and if there's a one-size-fits-all, it's hard to layer that. The concept of layering is that there are going to be multiple steps in the process, and then if one step has a problem, whatever that problem is—either there are ADA requirements and certain people can't do it, or consumers don't like it, or consumers failed it—there are other mechanisms that can pick up the slack.
So I do not believe that there will be ever a one-size-fits-all, but I do believe that you'll see over time that consumers aggregate naturally to a set of mechanisms that are convenient and comfortable for them, that at the same time the enterprises find give them enough protection.
McDaniel: Interesting. So it's sort of a converging but then evolving standard.
Tapling: Yes, absolutely. I guarantee you that there will be things that enterprises bring to market that fail. Somebody will take that "rifle shot" and they will bring out some big security initiative and they will find out that customers just didn't like it. And the way things work in enterprises, it will run for a period of time because they have to get their ROI [return on investment] out of their three years, but then you'll see those things go away and other things will fill the void.
We as a security industry have an enormous amount of technology. We have ways that we can make things very, very secure. Those very, very secure things don't deliver great user experience, and they're not always necessary. As I said, it will be a market. Enterprises and financial institutions will decide, "What things do I want to bring to market? What attacks am I worried about that I want to protect?" Payment systems and regulators will set another bar, which is you have to minimally do this or there will be liability shift programs that steer people in a certain direction. And at the end of the day, a consumer will be able to look at three different card providers, three payment types, three different merchants, and they all provide slightly different angles on how they do this account protection. And each consumer will make a personal decision as to which one I want to go to, and like I said, over time, this market will level out. Consumers will be attracted to things where they have convenience, safety, and privacy.
McDaniel: Excellent. Well, this has been a very insightful conversation, Peter, and I appreciate you taking the time to sit down with me today.
Tapling: It was a pleasure, Blake. Thank you.