Posted by Jen Gilburg
Last week a news headline from across the pond proclaimed:
Turns out Abbey, a major retail bank in the UK, did a survey on strong authentication. Turns out that two-thirds of those surveyed did not want the "hassle" of two-factor authentication. Turns out those surveyed even poo-pooed challenge questions.
So Abbey decided to act on the survey results. They decided to do nothing. And they decided to shout it out for all (including the fraudsters) to hear!
I question which business schools their marketing folks graduated from.
I wonder too what context the survey questions were raised (perhaps a brief explanation of how two-factor authentication protects against phishing would have been in order!). I wonder if the mere 1000 users surveyed really represented the fraud concerns of their overall user population. I wonder if they bothered to survey any of their customers who were not using their e-banking services- perhaps because of fraud concerns. And most importantly I wonder if the one-third of respondents who wanted stronger protection against fraud will take their business elsewhere...
Now here is a different survey. It is one we did last summer of customers who were using our VeriSign Identity Protection (VIP) Network. Those who were actually using two-factor authentication to protect one or more of their online accounts. Of those surveyed 81% thought it was easy to use. And over half wanted to use their same token at their broker, healthcare provider and gaming site.
If I were a marketing person at an online outlet- I would figure out a way to leverage those statistics to attract customers away from the Abbey banks of the world who are not taking customer's fraud concerns seriously. "Hey- you with a PayPal Security Key- come use it over here".
At minimum- what Abbey should do is to offer strong authentication to the users who want it. Isn't it a much better strategy to offer security as an option versus risking losing customers to those who do?