Friday, 20 February 2015

The Kids Are All Right

Age 19, when you're throwing up on your own shoes, privacy, security and liability don't matter; what the "going grey" generation call convenience, does. If you can get a taxi cab to deliver you safely to your door, you will happily give full access to your identity (the location of your comfy bed with a tactically placed bin at the side of it) and financial information (promise not to take the long way round). 

This week, in the UK, the first integration of Apple's Touch ID came to banking applications. Cue uproar on how the technology has already been spoofed. Any security person worth their salt knows fingerprint biometrics aren't secure. Yes they may be more convenient than pass codes, but a high resolution camera or a shiny surface combined with a silica moulding kit and you have a security breach quite literally on your hands (well fingers).
The trouble is, that by the time you're old enough (in the "going grey" generation) to know the pitfalls, and you're suitably well established in your industry to be able to inform standards and best practice, you're no longer representative of the "yoof" generation who you're delivering products for. Nothing kills a great idea for the younger generation than their grandparents thinking it's cool. When your Gran sends you a snap of her running over someone in her mobility scooter, it's time to delete your account and move on to the next craze. 

So are the people setting the standards and defining best practice really focussed on the right things? Are they really best placed to do so? For a banking application, is Touch ID too much security rather than not enough?  Organisations want to know that the person making the transaction is authorised to do so, to enable them to prevent fraud, meet regulatory requirements, protect their customers and generally do the right thing. Yet from the customers perspective all they're concerned about is that if money goes from their account that they didn't authorise that they'll get it paid back.
Ultimately the role of the "going grey" generation is to warn, counsel and support the next generation. Informed choice rather than condescending control, and guided resolution rather than an "I told you so" attitude. Understanding the needs, views and opinions of "the kids" will drive better solutions focussed on outcomes of practical use. The younger generation don't value convenience; they expect it as a minimum!  Whilst sometimes this may result in loss or distress for either party, consequences are thought about after the event and there is a customer perception (rightly or wrongly) that someone else will help clean up any fall out.

A new view on authentication is that it is something that occurs as part of the transaction rather than something the user knowingly does.  Mitigating risk at other points before, during and after the transaction, will enable less reliance on strong authentication methods.  Does the transaction fit within the normal patterns of behaviour?  Is it being performed from a trusted device?  Is the location identifiable and known?  Is the value within acceptable risk tolerances?  Can the transaction be reversed?  And for what time period is it recoverable?  

Within all this, the concept of informed choice by the end customer also needs to be considered. Rather than industry experts having an outcry of nay saying about technologies such as Touch ID being used for banking, rather they should be focussed on the needs of the customer and giving them more credit for being able to make informed choices. If any fraudulent transaction could be recovered then zero authentication transactions would be less risky. 

Figuring out how, when at 3am your customer's account has been debited £50 that they can't recall authorising, you can resolve the dispute is a far more noble cause than worrying about the authentication method used to verify the transaction - particularly if your customer arrived home safely and able to sleep in their own bed, with their head rested on their bin. 

After all, the kids are all right. 

Read my other posts
Just in Case - From early adoption to maturity
I have control - Can we truly own our identity
Tipping the balance - Getting the right balance between security and user experience
I didn't say you could touch me - Biometric authentication and identity
You don't need to tell me - Impacts of the EU General Data Protection Regulations
Coming together on being alone - The need for a clear government digital strategy
I'm not the person I used to be - Authentication for real world identities
Distributed Identity has no clothes - Will distributed ledger technology solve identity
Bring Your Own Downfall - Why we should embrace federated identity
Unblocking Digital Identity - Identity on the Blockchain as the next big thing
Tick to Agree - Doing the right thing with customer's data
The ridiculous mouse - Why identity assurance must be a rewarding experience for users
Big Brother's Protection - How Big Brother can protect our privacy
I don't know who I am anymore - How to prove your identity online
Three Little Words - What it means for your business to be agile
Defining the Business Analyst - Better job descriptions for Business Analysis
Unexpected Customer Behaviour -  The role of self-service in your customer service strategy
Rip it up and start again - The successful Business Transformation
Too Big To Fail - Keeping the heart of your business alive
The upstarts at the startups - How startups are changing big business 
One Small Step - The practice of greatness
In pursuit of mediocrity - Why performance management systems drive mediocrity

About me

Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has near 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA

Connect with Bryn on Linked In: Bryn Robinson-Morgan

No comments:

Post a Comment