So a big name steps into another market, this time one based around 'trust'.
Looking to do away with passwords, this movement and the companies in it are focused on indicators we each possess which could, together, give a confidence score as to whether the right person is logging in.
At Finovate 2015 I saw a number of companies showcasing this type of solution, and the relative ease with which organisations could verify users. The tech involved is clever and utilises many factors that even 5 years ago weren't reliably available, such as location data and biometrics.
Ah, the famed word - and one that's going to require a consistent and clear sales pitch to the general population. Whilst welcomed by many, it's key to remember that as part of the armory around identification it can work, but is not a silver bullet solving everything.
Banking institutions like the European Central Bank recognise its potential (including it in its recommendations on the security of internet payments) and the direction of travel is clear. Bye-bye password. Hello biometrics.
And yet it's here that there's an interesting clash. At the same time as we move towards collecting more data (and data that's never really been looked at before and is certainly very personal to us) the law moves almost in the opposite direction towards ever stricter controls through the much heralded General Data Protection Regulation (due in force in 2018). Companies need now more than ever to think:
- what are they collecting?
- how are they telling and explaining it to users?
- do they need to collect it? Are there alternatives?
- are they collecting more than necessary?
- how are they going to keep it secure in a time of ever increasing cyber threats?
- where are they sending and processing it?
Thought also needs to be given to what other ways of verifying users are if there's a data breach. The big issue for many is that biometric characteristics can't be changed like a password, and that's where the other camp sits. Risk. Is the reward of simpler log on worth it?
At this stage perhaps, that's this movement's greatest challenge.
Rather than giving a binary answer, as a password does, the API can hand over a score to indicate how confident it is that you really are you. If the institution needs more confidence, it can feed back and ask for additional mechanisms: more biometric data, for instance, or an old-style password.