The 4 forces that generate authentication revenue for the channel

Download (0)

Full text


The 4 forces that generate

authentication revenue for the channel

Web access and the increasing availability of high speed broadband

has expanded the potential market and reach for many

organisations and businesses. The web’s mix of ubiquity, low-cost

and ease of use has transformed operational models so very few

businesses now don’t interact with customers, suppliers or staff via

the web.

But as the use of the web has expanded so has the activity of

fraudsters and online thieves. Attracted to the web and e-commerce

channels by the sheer volume of transactions and wide variances in

security, fraud and online theft extends well beyond the traditional

financial services targets.

Now all organisations, whether in B2B or B2C industries, need

to have a proactive plan in place to protect their business - both

internally (staff and suppliers) and externally (customers).

Savvy security resellers will be able to identify both the internal

and external security requirements by better understanding the

customer’s business; and identifying points of weakness on both

sides of the organisational wall.

PeoPle, ProCeSS or TeChNology

Typically points of weakness can be categorised in three main areas - people, process or technology. Most security resellers are well versed in technology and process so our discussion will focus more on the area most difficult for a business to control - people. No matter how strong a security infrastructure is, staff, suppliers, customers, distributors and vendors can be the weakest link that allows the siphoning of data and resources. Identification of exactly who is remotely accessing the network or application is a vital element of any online security strategy with many embracing strong authentication of identity.

The term strong user authentication describes any authentication process that increases the likelihood that a user’s identity will be verified correctly.


The world’s leading software company specializing in Internet Security

There are three ways to authenticate the identity of a user:

• The user presents something they know, such as a password. This approach is known as a Knowledge factor.

• The user presents something they have in their possession, such as adevice or a card. This approach is known as a Possession factor.

• The user presents a personal physical attribute, such as a fingerprint or a retinal scan. This approach is known as a Being factor.

Strong user authentication (or two-factor authentication) is achieved by combining two of the above mentioned authentication factors.

SomeThiNg you KNoW

Passwords are the most common method of using confidential knowledge to authenticate users. Easy to administrate and convenient for most users, passwords are also the least expensive method of user authentication.

Unfortunately, passwords have some drawbacks. Often, user-selected passwords are very short and simple, which makes them easy to guess. This problem is usually solved by implementing password rules that may require a certain password length or include capital letters or numbers, and may even force users to change passwords on a regular basis. Unfortunately, these rules make passwords even harder to remember, which leads some users to write them down and compromise the original goal of security.

Some simple facts bear this out (see if you identify with any on this list): • 12 percent of users use ‘password’ as the password;

• 35 percent of people use a piece of personal information as their password; • 30 percent of users write down their passwords and hide it around their desktop1.

Even with password rules in place, passwords can still be shared between users who want more convenience, which can make the system more vulnerable. In addition, passwords can be stolen by monitoring keyboard keystrokes or network traffic, by tricking individuals into revealing their passwords, or by guessing at them with brute force methods such as dictionary attacks.

Knowledge factors such as password authentication are viewed as a weak form of user authentication because of the problems discussed above. However, knowledge factors are still valuable in high-security applications when combined with other factors such as possession factors.

SomeThiNg you hAve

A stronger way to authenticate users is to provide them with authentication devices or tokens that contain a digital code that acts like a key. An example of an authentication device found in everyday use is a remote key for locking and unlocking vehicle doors.


Authentication devices that are used to access computer networks include: • Devices or tokens, which are available as both hardware and software. These generate a different code every thirty-six seconds. The one-time password is protected with a personalized PIN code and is synchronized with the log-in server. Because the code changes every minute, it is impossible for a hacker to record the code and use it later to login to the system.

• Smart cards, which are similar in size to a standard credit card. These tokens are inserted into a card reader as part of the authentication process. They often contain a digital certificate and they are usually presented in combination with a password or Personal Identification Number (PIN).

SomeThiNg you Are

In the future, biometrics (something you are) might be added to two-factor authentication, thus creating three-factor authentication.

But from a consumer perspective online security is still a concern:

• 60 percent of consumers are very or extremely concerned about other people obtaining their credit card / debit cards details;

• 36 percent are very or extremely concerned about the security of shopping and banking online;

• 59 percent are very or extremely concerned about unauthorised access to or misuse of their personal information.

Of most interest is that each user on average has 6.5 passwords, re-using each one on 3.9 different sites and typing an average of eight passwords per day. No wonder consumers choose simple passwords or write them down.

The eternal trade-off situation now arises. How can you as a security reseller help your clients secure data and resources for e-commerce while providing a satisfactory and simple experience for customers and providing an acceptable ROI?

A simple forces model can help to identify the clients whose business and operational model would gain the most from authentication technologies. The forces model uses the four main pressures driving authentication to identify ideal candidates for strong forms of identifying and authenticating customers and staff.

Four ForCeS

The model examines the internal and external pressures on a business and what they, and the interplay between them, might mean in terms of authentication needs. The forces are:

1. Business impact (internal) 2. Customer impact (external) 3. Industry pressure (external) 4. Marketing sophistication (internal)

» 60 percent of consumers are

concerned about people obtaining

their credit card details

» 36 percent are concerned about the

security of e-shopping and e-banking

» 59 percent are concerned about

unauthorised access to or misuse of

their personal information


The world’s leading software company specializing in Internet Security


The higher the percentage of the business that is exposed to remote access or customers interacting online, the greater the need for strong authentication. When considering business impact factors think in terms of the impact if competitors were able to access and take vital information (like price lists). Take another step toward strong authentication and extrapolate implementation risk versus no action - remember to include factors such as if new hardware and technical skill requirements (if any) were needed. A technology with a long lifespan reduces risk potential as well as improving return on investment.

CuSTomer imPACT

Examine customer statistics and calculate the impact of an access breach. In B2B the number of customers and transactions might be small but the typical value of each transaction is significant. Additionally, partnerships and alliances might require access to key corporate databases. In B2C transactions and customers are numerous, but what percentage are repeat purchases?

In all cases, once you have the statistics, develop scenarios and impacts: • would better authentication increase customer loyalty?

• is the average transaction value and average customer value worth the effort and resources to implement two-factor authentication?

• once implemented does the technology lifespan mean minimal hassle for customers or regular mandatory updates?

• do customers value security enough for the client’s type of transactions?

iNduSTry PreSSure

The industry requirements for minimum levels of security for storing, processing and transmitting cardholder data were addressed in the worldwide Payment Card Industry (PCI) standard released in 2006. However from December 2008, a new version of PCI standard comes into play with several requirements around secure authenticated access for remote access to networks. How applicable are these standards to your client? Also consider whether competitive security approaches are becoming accepted as defacto standards and what that might mean to the client.

mArKeTiNg SoPhiSTiCATioN

Depending on the client there may or may not be a long term strategy. If there is, what future implications does planned marketing activity have for authentication? If online access is to change from low to high, is the infrastructure in place to handle it? As the product offering becomes more sophisticated or the transaction values increase, will the client need a multi-level authentication strategy where the same infrastructure can handle simple authentication and more intense challenge authentication; as well as one button and keypad style authentication devices?

How important is branding and keeping the client’s brand name in front of the customer on a keyring or in a handbag? Would that help to build loyalty? If the client implemented strong authentication, could they create a perceived competitive advantage from a ‘more secure’ model than competitors?


external factors (industry & customers)

high more detailed investigation required - need to research impact of external

factors on business

Take immediate Action low

No Action - revisit every six months investigate a trial - need to examine customer reactions more fully

low high

internal Factors (Business & marketing)

B O S T O N ( N o r t h A m e r i c a ) p h o n e : + 1 . 5 0 8 . 3 6 6 . 3 4 0 0 e m a i l : i n f o - u s a @ v a s c o . c o m S Y D N E Y ( Pa c i f i c ) p h o n e : + 6 1 . 2 . 8 0 6 1 . 3 7 0 0 e m a i l : i n f o - a u s t r a l i a @ v a s c o . c o m S I N G A P O R E ( A s i a ) p h o n e : + 6 5 . 6 3 2 3 . 0 9 0 6 e m a i l : i n f o - a s i a @ v a s c o . c o m B R U S S E L S ( E u r o p e ) p h o n e : + 3 2 . 2 . 6 0 9 . 9 7 . 0 0 e m a i l : i n f o - e u r o p e @ v a s c o . c o m

VASCO designs, develops, markets and supports patented DIGIPASS®, DIGIPASS PLUS®, VACMAN®, IDENTIKEY® and aXsGUARD™® authentication products

for the financial world, remote access, e-business and e-commerce. With tens of millions of products sold, VASCO has established itself as the world leader in Strong User Authentication for e-Banking and Enterprise Security for blue-chip corporations and governments worldwide.


Copyright © 2009 VASCO Data Security, Inc, VASCO Data Security International GmbH. All rights reserved. VASCO®, Vacman®, IDENTIKEY®, aXsGUARD™™,

DIGIPASS® and ® logo are registered or unregistered trademarks of VASCO Data Security, Inc. and/or VASCO Data Security International GmbH in the U.S. and

Learn more on this topic.

View on-demand webinars

Get an overview at:


If external and internal factors are high, strong authentication is an immediate requirement. The good news is that leading two-factor authentication solutions can be implemented in under a week with the distribution of devices to customers the most time-consuming step.

If external forces only are high, the business may not yet have an identified need for strong authentication but one negative customer experience can change things quickly. A review and setting of key trigger points will establish a plan that can be implemented immediately should one of the triggers occur.

If internal forces only are high, a trial of two factor authentication can help to address internal concerns while putting the infrastructure in place if a larger customer rollout becomes attractive.


For security resellers to be successful in e-commerce requires taking a holistic view of each client’s business. Customers are concerned about security but in some cases can be the weak link in the ‘secure’ chain. It tends to be up to each business to enforce better people based security through authentication and using the four forces model, resellers can help their clients and identify the best candidates for strong





Related subjects :