Early on Monday morning, I was dashing to catch a train in to London. In order to get the best priced fare my Office Manager had diligently booked my ticket in advance. With just ten minutes to spare I arrived at the station, coffee and croissant in hand. I found my way to the advance ticket collection machine and it asked me to present the card I had used for the transaction (something I have in authentication terms). “This is great so quick and easy,” I thought to myself. I was wrong.
I entered my credit card and waited for my tickets to be printed, but no! I was then asked to key in the unique reference number (something I know) that I had been sent when my transaction has been confirmed. So, I rummaged through my bag to find my phone, the paper bag holding my breakfast now in my mouth and my coffee resting precariously on top of the slopping machine. However, to my frustration (and that of the growing queue behind me) I opened the relevant email but it wasn’t displaying correctly! I had no choice but to abandon the machine and make my way to the ticket office to sort out the problem, and when I finally reached the front of that queue I was told ‘Ah we are aware of the problem!’
All of this for a train ticket that cost just £16! Fortunately, they didn’t want a biometric as well. By comparison I used similar machine at the weekend to collect some pre-paid cinema tickets (which actually cost double) and all that was needed was my payment card.
My point is that two-factor authentication is in many instances a vital requirement, but it needs to be deployed thoughtfully, with consideration not only to security but also the user experience. Also, there are also times when multiple factors are overkill for the task at hand. The machine was there to reduce pressure on the ticket-office and make the ticket collection process much simpler, but unfortunately it did the exact opposite.
When you are looking for an authentication solution be wary of the one-size-fits-all approach. You need to give careful consideration to the flexibility of the platform. Can you deploy 1, 1.5, 2 or 3 factor authentication, to deliver the appropriate level of authentication where it is needed? Put unnecessary barriers in the way and people will either find a work-around, or will simply not do what you want them to do. Also, not all multi-factor solutions are equal, some are stronger, easier to deploy, administer and use than others.
In case you were wondering, I did make my train but only just.
Author: Steven Hope, Authlogics