Andre Boysen, Digital Identity Evangelist, SecureKey
Every morning when I leave the house, I do a quick pat down to check for essentials: Phone? Check. Wallet? Check. Keys? Check. These three belongings are basic representations of my identity and are woven into my daily activities. Quite frankly, they’re critical, and like millions of others, I go through this same process whenever I’m leaving a restaurant, a movie, or anywhere else … when I remember to do it.
But what happens when I go through the check-down process and find one of my essential items is missing? I’m overcome with an immediate sense of dread, followed by a tremendous sense of urgency to recover or replace what I lost. My motivation to recover these items consequently transcends whatever else I have going on that day – that’s how critical these items are to my daily life. Because of their importance, my “meantime to recovery” for any of these items is usually a small window. The shorter this window is, the more I’m mitigating risk not only for myself, but potentially the credit card company, phone carrier and other services that may have to cover fraudulent activity.
I was thinking about these two interconnected concepts recently after I received a notification that a user ID and password to an online service I seldom use was “potentially compromised.” Are consumers equally motivated to recover their online login information, as they are a lost wallet? Are they as driven to reduce the meantime to recovery to as short a window as possible?
The answer often is no – or “it depends on the credential.” If you find that your banking user ID was compromised, you’re likely to change it as soon as you can get online. There is a high motivation driving the meantime to recover to as sort a window as possible.
These two concepts – “motivation to recover” and “meantime to recovery” – are critical for online services to understand and cultivate in consumers. Today’s threat landscape has hardened people to the fact the there is a real possibly their user ID and password will be stolen or compromised at some point. Getting the consumer motivated to recover them is important in eliminating the latent risk of the natal compromise.
Low motivation extends the meantime to recovery, prolonging the time an attacker has to use and exploit a credential in their attack. More time to potentially leak consumer information. More time to conduct fraudulent financial transactions. More time to drive up the remediation costs of a breach. More time to damage the brand. More time to destroy any goodwill or trust that has been built up with the consumer.
Can companies cultivate a high motivation in their customers? The numbers on their face are not good – today’s average consumer has more than 130 user IDs and passwords. It’s no wonder why the average person is only concerned with the credential equivalents of their keys, wallet and phone. This is usually a banking credential, a social media ID credential or something equally critical to their well-being.
So how does an online service protect itself from falling into the abyss of user ids and passwords, motivating their customers to cover their credential? There are two primary methods, one that is extremely difficult, and one that is much easier. The hard way is to change your business so that the consumer highly values it and would never want a credential to the service exposed. Easy to type, not easy to do.
The second way? Anchor to an existing user ID and password that ANY customer would be highly motivated to recover – like the aforementioned banking example. One increasingly popular option is to anchor to a social media platform like Facebook or LinkedIn because consumers often access them several times a day. However, given the recent data breaches at LinkedIn and Tumblr, social media platforms are seemingly more susceptible to data breaches than financial online services whose security is considered by many to be unparalleled.
This is what the Canadian Government has opted to do in partnership with SecureKey and its Concierge Service – it empowers users to access the online services they want using their familiar and trusted online banking user ID and password. Aside from the tremendous convenience this affords a customer, it also alleviates risk for online services by eliminating the use of passwords and personal information to log in a customer. In the end, the web service has a choice: does it partner with a service that anchors an identity to a trusted source to eliminate the risk and stress, or does it become the user’s 131st?