Authentication and identification are top of mind for payments professionals battling fraud these days. We’ve made progress over the past two decades in managing payments risk in the digital era, but fraud continues to evolve and often seems to be one or several steps ahead. The classic cat-and-mouse game has moved to a point where “Are you really you?” and “Should you have access to this account?” are the questions that are both increasingly critical and elusive to answer.
In this episode, we take the long view, talking with Ori Eisen, CEO and Founder of Trusona. We reflect on what the payments industry has gotten right, the current challenges, and the future of authentication and identity. And, to pay attention to the here and now, we asked Ori to share his best practice tips for implementing passkeys.
Yvette Bohanan:
Welcome to Payments On Fire, a podcast from Glenbrook Partners about the payments industry, how it works, and trends in its evolution.
Hello, I’m Yvette Bohanan, a partner at Glenbrook and your host for this episode of Payments On Fire. We are in the digital era of payments, heading into an era of artificial intelligence. Both eras, like several before them, are shaped first and foremost by technology. In the digital era, nearfield communication, or NFC, smartphones and later smart devices, QR codes and cloud computing, underpin payments capabilities. Machine learning has come a long way in this era, growing from statistical analysis applied to solve specific problems to a core capability for industry segments like optimization, online transaction screening, and back office operations.
The technology cuts in both directions, of course. Legitimate stakeholders use it to drive innovation, efficiency, and scale. Fraudsters have used it to create increasingly sophisticated, highly adaptive global networks. The deployment of this technology on both sides has led us to a point where identity verification, basically, are you really you, and authentication, or are you the person who should be accessing this account, are more critical and simultaneously more difficult than ever before.
In this episode, we are discussing the progress and challenges of authentication and identification in payments, what’s happened and what’s not happened in the digital era, and what needs to happen as we enter the era of artificial intelligence and quantum computing. Joining me once again as a co-host is Chris Uriarte, one of our partners at Glenbrook.
Chris, I am so glad to have you on this episode. This is going to be a fun one.
Chris Uriarte:
Yvette, good to be back as always. And this is going to be a great topic. I can’t wait to talk about this.
Yvette Bohanan:
Okay, so let’s introduce our guest. We are absolutely delighted to have Ori Eisen, founder and CEO of Trusona, joining us on this episode.
Ori, it is good to see you. Thanks for being here.
Ori Eisen:
Thanks for having me. I really appreciate it.
Yvette Bohanan:
We always start by talking about people’s journeys. And you have walked in a lot of shoes across many, many stakeholders in your career. You were at Verisign, you were at American Express, you founded 41st Parameter, and now Trusona. The people that know you know that this is very true. You’ve dedicated your career to fighting online crime, and that’s really bold. And a lot of people that are listening to this podcast are doing the same thing, right? They’re in the trenches every day. It’s hard work. It can be super rewarding, but it can be super discouraging, right? So I want to ask, what has kept you motivated over the years?
Ori Eisen:
I’ll say it again. First of all, thank you for having me here. If there is a checkbox for somebody in our industry to be on podcasts that matter, this is one of them. So thank you. It took me 24 years to get here if you’re listening to this show. And I’m honored, I really am. Glenbrook has done fantastic things for our industry, and I think you want people to just know what’s going on so they can make wise decisions.
Yvette Bohanan:
Exactly.
Ori Eisen:
There are definitely tough moments in this field. I remember vividly when I was a risk manager at one of the large credit card companies. You would show up on Monday morning after Thanksgiving, and over the weekend, our friends in the underworld have used the fact we’re all eating turkey and maybe sleeping to drain some accounts. And those are just deflating days. And then you just feel like, what the heck am I doing here? And how come they’re so powerful and then smart? And there’s days where you win and you catch something or you discover a new method, and God, it’s almost like golf. People curse all the time until they have that one good shot and then they’re back in the game.
So I think if you want a career in this space, there’s a saying in Silicon Valley that says, don’t let the highs be too high and don’t let the lows be too low. Try to keep it even keel. But for me as a person, I love the hunt. I really do. I love the fact that every three weeks, the other side is surprising us with something because that means we need to go figure out something. I love the fact that unlike, let’s just say we were intuit and write accounting software, there is an end to writing accounting software like you have ledgers and it works and makes some tweaks because some new regulations come out, but for the most part, it’s working, right? There’s no such thing in this industry. What worked even a year ago may not work today. What worked three months ago may not work today.
So the need for innovation, wink, wink, it’s the key. If you want to stay in business with all the changes, and especially if we’ll get to talk to them about AI and deepfakes, you have to keep innovating because the other side is, and they’re well motivated in doing so.
Yvette Bohanan:
Yeah, you got to keep your energy up, you got to keep your enthusiasm up. You got to make contacts within the industry of people trying to do the same thing. We’re all in this together. We always say the fraudsters don’t have regulations. They don’t have org charts. They don’t have rules around sharing data. The hands are tipped in their favor. So you got to make your own networks and you got to keep up with things.
Ori Eisen:
Indeed.
Yvette Bohanan:
When you think about the last 20 to 25 years in payments, there’ve been multiple innovations in payments risk management. What do you think the industry has gotten right in the last couple decades?
Ori Eisen:
It’s a great question. I would first separate… When we say the industry, it sounds like everything is worldwide and very nicely distributed. I would separate Europe and the European Union and the decisions they can make and act and what we’re doing here in the United States and the rest of the world. That’s how I’m thinking about it, because you can decide that, I don’t know, 3D Secure is a very good thing to do, but go implement it in different jurisdictions and then you’ll see who is joining forces with you and who is colliding with you and who is deciding that this is a competitive edge. It’s just not easy to look at the world as one thing.
But overall, in general, I think the move to chips to prevent counterfeit has been probably the best move because it was the hardest. And at the same time, I don’t think that is the center of gravity for the problems that we’re facing. So kudos to making it happen. Again, if you’re listening to this, please don’t hate me, but I don’t think tokenization is something we should’ve focused on at all. I can explain why.
Yvette Bohanan:
Oh, you have to because…
Ori Eisen:
I applaud the effort, but I don’t think that will put a dent in the universe. And just to see that what I’m saying could be right, go look at the basis points of fraud around the world and tell me have we reduced them as a result of it. And then you’ll hear crickets. But I’m not saying don’t do these things. Everything is important, but when you look at the gestalt of what all is happening, where the fraudsters are successful and what we need to do as the good guys to block it, it’s just that’s not rising up to the top of my list.
Chris Uriarte:
Ori, I think you raised a couple really interesting things. I think there’s probably just a general question of, do you think where we stand now, we’re heading in the right direction? Obviously, we’ve seen tremendous innovation over the course of the last 20 years just by need, right? E-commerce was new to us 25 years ago. E-commerce fraud was new to us. We adapted and we did what we needed to do to survive.
But to your point, if we look at the statistics of card fraud in the US over the course of the last decade or so, fraud as a percentage is rising. We used to be at about four basis points of fraud, 10 or 12 years ago. Now we’re hovering somewhere around let’s say six to seven basis points of fraud in the most recent years if you look at some of the most recent Nielsen numbers. So are we just not keeping up with the fraudsters? Has there been a lack of innovation in the industry recently? You mentioned the EU for example. Is perhaps the lack of regulation playing into this in places like the US where the EU has had the heavy hand from a regulatory perspective? Not saying that’s a good thing. We know that there’s been a lot of challenges in that, but when you look at the numbers from a fraud perspective, since PSD 2 has been implemented, fraud is much, much lower in the EU than it is in the US. So where are we headed and are we headed in the right direction?
Ori Eisen:
And again, just to keep it real, some people may not like hearing it. I’m sure my brethren who are fighting the good fight at the payments company would not like to hear what I’m going to say. But let’s look at the numbers, okay? On paper, if you go from four basis points average to six or seven, let’s just say six for easy math, what you just said, Chris, is that we have raised the number by 50% from where it was. That should be alarming to all of us, regardless if you agree or not, but I think the problem is much worse. Let me explain my point.
Because we’re measuring things in bps, it’s a relative number to the top line. Now, do you agree in principle that the number of top line of e-commerce sales have only risen up? So if the number was the same over this period you’re talking about, and we moved from four basis point to six, then it’s just 50% rise. But four basis points of a 100 billion in sales is very different than six basis points of 200 billion in sales. Do you see that? The number actually exponentially growing. It’s just that the top line grows so much that we are still saying, oh, but it’s a small bps. But no, if you look at, listen carefully, the absolute dollar amount we’re losing, which is what I’m focused on, we are nowhere near solving the problem. And you can ask, well, why do you care about the absolute number? A, because I’m not a public company that is managing the risk as an Excel sheet tab, but I’m worried about it because with absolute money in the underworld, you can do a lot of things.
If you look at my career, it is all about herbing the funding of evil. When I wake up as a banker and I find that $2 million disappeared, man, I hate it. I have to go ask my boss, what happened? But let’s ask ourselves as professionals, what has happened to this $2 million? Where did it go? Who is using it and for what purposes? You will realize that that is far worse than the monetary value, which by the way could be covered by insurance. That is what I’m worried about because that causes buildings in New York to fall down. There, I said it.
Chris Uriarte:
Yeah, I think it’s a great point. And you look at the order of magnitude of both sales and fraud. If you look at sales now, I think we’ve all heard this number in 2023, we finally hit the $1 trillion mark in online sales, which is absolutely incredible. But when you look at the dollar value, I talked about bps earlier we just mentioned, we look at the dollar value that if we look back in 2014, 10 years ago, we were looking at a dollar value of fraud. That was somewhere around $16, $17 billion value wise. Now we’re getting closer to about $35, $36 billion from a value perspective. So it’s significant. Of course, you expect that to rise as the top number rises, but I think the level of fraud is outpacing the top line growth as well.
Ori Eisen:
And Chris, just for fun, after we finish recording, please look up the GDP number of countries and tell me how many of them are under $35 billion. People put things in perspective.
So a third part of your question that I want to get to, and it goes like this. If you look at the last 50 years of credit card innovation and payment innovation, we’ve had one super-duper successful campaign. I might be dating myself here. And that is the move from offline authorizations to online authorization. The most successful campaign in our history. Heck, we gave 50% basis point discount on interchange. Yes, you heard me right. And how long did that take to do, the whole process? 10 years.
So when you’re asking me, are we heading in the right direction, I will say this, even if today I just described to you the panacea, right? Here’s what we need to do to solve this, which I hope will chat a little bit about that. And I know we’re not giving any more 50% interchange. Even if we did that, we are still 10 years out guys from the world as we know it to adopt it. So if you’re a Silicon Valley investor or you’re an entrepreneur, I want you to get the scale of time that it takes to run this marathon. This is not a sprint. Even if you have the most brilliant idea in the world to convince people to get it into their SDLC, to get it approved, budget, earmark, all those things take time. And then we can talk at the end about consumer adoption. You can do all this work and they’ll say, “I’m not going to do this,” right? You can’t force my mom to do stuff.
So when you look at all that, I think unfortunately we’re heading into at least four or five more years where the bad guys are just going to have the upper hand, and that’s before introducing AI.
Yvette Bohanan:
Okay, so-
Ori Eisen:
You still want me on this show because [inaudible 00:13:05]?
Yvette Bohanan:
I do. We’re going to keep going here. We’re only on question two. But no, I think what you’re saying has a lot of merit. I think you have to look at the situation that the industry is in. We are in this together, right? This is not a siloed initiative thing. And as you said, you need all of these things. One tool. There’s no silver bullet. Hello, investor community. If someone comes to you and says, this is going to solve it, and this is one thing, stop time out, walk in the other direction.
Okay, your favorite hashtag for those that follow you on LinkedIn know this is No passwords. More know about it now because it’s getting branded properly, but a lot of folks did not understand what you were talking about when you first started that no passwords campaign with the hashtag. The FIDO Alliance and Trusona have been on this bandwagon for a long time. And passkeys is the branding. And we all know that branding always helps because it helps people talk about something at least and know commonly what they are discussing. So that’s a good thing. This is really a step for solving authentication. From your vantage point, how big is authentication today in this… If you zero in on the authentication issues that we have had, how much of that is playing a role in this backdrop that we’ve just been discussing of organized financial crime in this space?
Ori Eisen:
Let’s roll the tape back 20 years. We only had username and password, even for employees. Realized, man, that is just not going to be so secure. Every CSO would tell you that. In my opinion, that was the day where we should’ve said, okay, how do we stop getting rid of passwords? We didn’t do that. What we did is said, okay, let’s accept password as factor number one, and now let’s keep adding something called second factor authentication, or 2FA. Or if you’ve never known, why is it called 2FA? Because we succumb to the fact that the first one will be using [inaudible 00:15:07] password. Not so secure. Let’s keep it because it’s too hard to undo it. By the way, I’m not challenging that decision, but we have lived with this insecure thing that we are asking even consumers to pick up their own passwords. God help us. What were we thinking? And add this other thing.
And you know what? For the first seven, eight years, that was amazing. Why? Because we forced the bad guys to go into accounts. And if the bank had 2FA, they said, good. They’ll just go to the next bank that doesn’t have it. It’s that simple. It doesn’t matter which bank they’re robbing. You all have the same money. So it’s just a game of don’t be the slowest cow and the wolf is coming to see you. Who can I eat today?
Unfortunately, when phishing started rising, and you would contact the consumer and ask him, “Hey, what is your password?” and it was just given to you. And then with other social engineering, you just convince them that you’re the banker and they need to give you the pin, guess what happened? That method disappeared as the best thing we’ve had.
When the FIDO Alliance started, folks like Michael Barrett, if you know him, who was at eBay at the time in PayPal, I got the call to say, “Hey, listen, we are realizing that this username password thing is going to kill us all. Let’s band together and create this thing that we will all use. And then there’s no competitive advantage of, oh, I’ll go to the bank that doesn’t force me to use this. Whatever it is you’re telling me to do.” And on paper, that idea is brilliant, period. Hard stop here. It’s been 14 years since that moment. Where are we? You tell me how many passkeys you guys have, Chris and Yvette? And you tell me how many passkeys you’re using today because you’re not allowed to use username and passwords? And that is the answer.
We are still playing the game that even if I introduce something that we know everybody needs, I’m not going to force you to use it because there’s the marketing people and the UX people, and I totally understand no one wants to see a drop-off in the name of security. I get that. But we have yet to implement it in a way like, I’m just moving to Europe for a second where we say, okay, starting January 1st, every bank is going to do X. And now legally we are banding together to do it and we’re going to force… So we are moving that UX thing, which is the way to go, by the way. We simply don’t have it here. So unfortunately, we’re still in adoption phase. We’re still in confusion.
Yvette, you’re absolutely right. People did not really get, what does he mean by no passwords? I was trying to go for the no software thing that our friends at Salesforce did to say we don’t need software anymore, but I also wanted to respect FIDO because I knew that no passwords, because we started, would never get adopted as the thing. I knew that from the get go. So you had to say what you’re trying to say.
Of course, one of the big players at FIDO gave us passkeys and we all went along with it, and I think that’s great to brand. Yet at the same time, if we don’t educate on what it is, why should you use it, and maybe start, I don’t want to say the word force because that never works, but cajole people to use it, I don’t think 10 years from now we will be anywhere nearer as to what the potential could’ve been for this thing. So could this for making it, but now we have to band together and implement it. Otherwise, it’s a choice. And if we leave security to people to decide if they want to do, let me tell you, they will go the other way because just like they don’t want to pick long passwords because it’s just hard, they would not want to click the extra button of create a passkey because I’ll just reset my password next time, and that’s it. We’ve just gone back to where we were, and unfortunately that helps the bad guys.
Chris Uriarte:
So I think you, you’re partially answering the next question going through my head here, Ori, which I think about the everyday person, not those of us that are steeped in this industry here, your kids, your mom, somebody along those lines. They are greatly influenced by these big tech companies that they interact with every day, the Googles, the Microsofts, Apples and Metas. People are living on their platforms every day. They have so much influence on consumer behavior. It sounds to me like they could be doing a better job around things like education, implementation, things along those lines when it comes to advanced types of authentication, whether it’s passkeys or something else.
Are they actually doing anything well or have they just decided that this is a little bit too difficult to take up right now so we’re just going to leave things as it is? Because it seems like it just takes one or two of these folks to be a major influencer to really move us in a positive direction here, but we just haven’t seen that happen yet.
Ori Eisen:
Again, I want to start… The good news is that we have now solidified, there’s still work to do, but we have solidified a standard that anybody can use. It’s in every browser. So now the onus is on the relying parties or the banks or the websites to go adopt it. So there’s no more work that you need to do to put it into your browser. It’s there, but that doesn’t implement itself. Just like HTML is in your browser, but that doesn’t write your website. And I want to applaud people who added this method for 800 million users already. That’s amazing. But my point is, unless you cajole them with some benefits, that’s the carrot, or you only let them get in this way if they can, you’re now leaving them the choice of which door to choose.
And unfortunately, Chris, in my experience, when you see people who are given two doors, one of them is the tried it true, I know what I do, I don’t need to think, I just click and I go, and the other one is I need to do one more thing, whether it’s easy or not is not even the point. I’ll give you an example. Unfortunately, human behavior is that we’re creatures of habits. We just will do what we did yesterday unless we are told not to in a way that almost doesn’t leave us a chance. Okay?
Let me give you an example. I trained on that all the employees at 41st Parameter and also at Trusona. Say that the three of us started a credit card company. The credit card company is really, really interesting. It would send offers to people with good credits and it will give them an option. Would you like to create a Visa card for yourself or a MasterCard? Because we are an amazing company that can do both. And we send a thousand of those out and we measure the response rates. And then a month later, we send the same exact letter with one change, we’re giving you an option to get a Visa card or a MasterCard, no more. You need to choose between them, and we measure the response rate on those 1,000. What do you think the numbers are? One of these campaigns is half the response rate of the other.
Yvette Bohanan:
Don’t give people choices-
Chris Uriarte:
Yeah, don’t give people choice, right?
Yvette Bohanan:
It happens all the time. It’s true on that. It’s true on checkout lanes, right? In online checkout, you flood me with too many choices. I don’t care what the choices are. Too many choices, you drop your conversion. It’s totally true. And what you’re really getting at here, Ori, is this is no longer a tech problem for passkeys. It is a change management problem. And if we don’t focus on the right problem, as we all know, you don’t get the solution. So yeah, I totally get it. And trying to explain this to my husband is like, forget it, right? He’s a brilliant guy, but he’s like, “What are you doing? Why do I have to do this? What does this mean? How does it work?”
Ori Eisen:
How does it benefit me?
Yvette Bohanan:
How does it benefit me? Why do we have to change?
Ori Eisen:
Why would I do that? Exactly.
Yvette Bohanan:
Yeah. And I’m like, just do it, but just really not the best thing either. But there’s an opportunity here to educate through commercials. It was Cash App the other day just out of the blue, they had a commercial about scams and educating people around scams. And basically, if it’s too good to be true, stop. It’s too good to be true. It’s not true. And it’s a simple little commercial coming through one of the streaming services or whatever. It was brilliant. It was eye-catching. It was short. It was to the point. It told people exactly what to be afraid of, what not to do. We could do so much more of that if people really focused on it just a little bit more. And it’s super powerful.
Ori Eisen:
Yvette, when we started this recording, before you clicked record, I asked you, “Well, on the honesty level, where should we go between one and 10?” I remember your answer. I would love to comment on what you just said.
Yvette Bohanan:
Okay. And my answer for the record was 11.
Ori Eisen:
11.
Yvette Bohanan:
And those of you that know the movie reference. Anyway, go ahead.
Ori Eisen:
This one goes to 11, without mentioning names or brands because it doesn’t matter. But let’s just say that the top 10 brands… Okay, I’m lying. Top five brand, which is a bank, have shared this insight with me, which I just wanted to hear and just take it as it is. The tone was accusatory and it says, “Why do I need to spend my marketing dollars or call center time on explaining what FIDO is or what passkeys is? Isn’t that your job, guys? There, I said it. When you say all this together, who is we and who are the stakeholders? Who benefits? So a large organization, if they would adopt no passwords… And let’s just say they would force everybody there. Let’s just say an imaginary world, you can only imagine 50% of the people would say, “What is this and what am I doing? And I’m stuck,” but all of a sudden you have an expense that you didn’t have last month that you need to explain to the CFO an operational expense.
Yvette Bohanan:
Well, okay, you don’t have things that you have to explain to your customer. I don’t know how you answered that question, but for me, my answer would be, and Chris, I want to hear your answer too to that if you were sitting at the table when somebody asked you that, I would start with, let’s talk about trust. Let’s talk about reputational risk. Your reputation and trust is gold, especially when it comes to finance. Banking, finance, your cards, your payment method, your account, whatever it is is golden. And if you are doing something that protects people, whether they realize it or not, and you’re helping them, you’re creating a stronger bond of trust over time because you are adding something in that’s relatively easy to do, that basically will engender trust because you’re eliminating further, not completely, but you’re mitigating the possibility of account takeover and other bad things that lead to even worse things for people.
And so marketing is about your brand, it is about your image, it is about your product, it’s about how great you are and how differentiated you are from the competition. But in payments and in finance, if you don’t have trust, all of that differentiation won’t matter because people will walk away from you because they don’t trust you. That would’ve been my answer.
Chris Uriarte:
Yeah, and what I’ll just say, I’m getting a little bit of deja vu here, Yvette, or you talked about the transition to chip, and I remember the same argument in Europe in the beginning of my career when the greater part of the continent was looking to move to chip after France had implemented it. And it was the same argument. It’s like, “Well, we can manage fraud today. It’s fine. Why do we have to make this huge investment”? It’s replacing every single card ,higher per cost cards every time we manufacture card off the line, replace every single terminal that’s out there. Couldn’t even conceive the benefit that this could bring because the challenge in getting there was so large. And what wound up happening in the UK, and I happened to be living in the UK at the time when the chip and pin conversion had occurred back in 2003, the banks got together and they had a massive education campaign to folks.
You would go on the tube in London and there would be posters all over the place about what chip and pin was. And there was an evolution into first introducing it to the public, then getting a little bit more specific about how they would have to use it, and TV commercials and things along those lines that were supporting it. So it really did take an industry as a whole to educate everyone as to what the benefits were of this thing and what the impact would be to the consumer. And we just don’t have that momentum right now. But I think the crux of your story, that there is an ROI story here, ultimately.
Ori Eisen:
I said the nicest thing I could have said to the executive. I also mentioned, well, we started this conversation with my fraud numbers and ATR going up, so you need to do something. But I do want you to hear the numbers he cited and also the fact that in the United States, if you’re a public company, you manage the next 90 days for the end of the quarter because analysts will kill you. In Europe, with regulation, you don’t have that problem. I just want you to see the dichotomy of the CEO level of this discussion. Forget the-
Yvette Bohanan:
Absolutely, I get that. Yeah. Yep.
Ori Eisen:
Let me give you some numbers. Okay? This executive says, “Ori, let me just educate you.” In my fraud budget for net fraud, like gross fraud, net fraud, I have $6 million for the year. So I can get there and I still get my MBOs. My partners at the call center said that if we add 10 seconds to every call to explain, which clearly would be more, but 10 seconds will be $18 million expense. So you tell me how do I sell this to my CFO? It’s not that I didn’t have something to rebuttal because the truth is that it’s $18 million just in one year. And then you can amortize that. We can say a lot of things, but I do think if we have an organization like FIDO that everybody banded together to create something, but we don’t have the marketing wherewithal to explain what it does and how, it will not be as effective. Whose budget should it come out of? Who is this? All of us. Get it? That is why we still don’t see the change we all want to see.
I would still tell you if you’re listening to the podcast, if you are not starting to think or already implementing passkeys, you will start seeing things, especially when GenAI is here, that you just didn’t plan for in your $6 million budget. That’s the other answer.
Yvette Bohanan:
Well, yeah. And I remember the PSAs and everything in the UK when… Chris, I was over there working a lot too at that time. And I also remember a lot of the press about grandma was never going to be able to buy anything again because she can’t remember a four digit pin code or something. Now that I’m getting older, I find incredibly insulting and ageist. But anyway, change is hard. Change requires education. But on the other side of that, change is a different world and you have to keep reminding people how to bring this together. And the world didn’t fall apart with pin, but what happened was, and this, I think, it’s to your point, Ori, is the UK implemented the chip and pin at point of sale and the fraudster shifted, and they shifted to card not present and they shifted to point of sale fraud in US.
And so your point is if you’re not in it at the right time, you’re out. And when you’re out, it’s like fleas on the dog. You cannot get rid of it. And so it gets worse and worse and worse. And then we’ll get to GenAI in a minute. But going back to passkeys, let’s give people some actionable stuff. Okay? You discuss implementation with a lot of people. Have you codified some best practices on implementing?
Ori Eisen:
Yes. Before we get there, I want to give you a soundbite in case you’re making a teaser reel for this. Here it is. Every fraud solution, if you’re not around the table, you’re going to be part of the menu.
Back to our regular schedule program. As a person who spends their days educating and explaining and writing code and implementing, I want to give you a few best practices. At least don’t spend a year realizing what you can learn in a second. There’s a famous quote, “You can learn in the library in an hour what in the lab you can figure out in a month.” Here’s what you don’t want to figure out in the library. If I were to ask the average person who’s been doing this for a long time, like authentication professionals, where do you think in the user journey should we introduce people to passkeys or going passwordless? Where? Let me tell you, most of us would just say, “What do you mean? When they’re logging in.” Just default reaction. It will make sense on paper. But if you run research like we’ve had, you will figure out very quickly, oh boy, that is the worst place to put it in. Let’s explain why.
I’m proud to say that my company, note I’m not mentioning their name, has helped sponsor research for FIDO to help the next company figure this out. So go read the UX guidelines of FIDO. It goes like this. When someone is getting into their bank account to log in twice a month to pay their bills, they do not, let me repeat, do not want to be introduced to something new at that moment. You want them to learn something new. They are just in there to pay the bills and go see their kids play soccer. So if you try, by suggesting, cajoling or forcing people to go there, you are going to lose them because they’re just going to click cancel. They’re not even reading because their mind is, I want to be here to do my thing and leave. Research will show you, in adoption or conversion, that’s the least conversion rate.
Now, Yvette, here comes the boom. Most large companies who said, “You know what? Let’s do a pilot. Let’s try this passkey thing,” and put it there, guess what numbers they saw. They saw hell. Then they inferred, “Oh my God, we actually may not want to be…” Let me quote, “I don’t want to be an early adopter. I want to be a fast follower. Let the other banks teach them what this is. I’ll come late when everybody knows what…” Get it? It’s almost like a game of I don’t want to touch this. It looks messy. But it was because education was not available. People did not talk about it. So we all tried something that is literally not good for us. So unfortunately, that is not helping in the adoption gestalt picture.
What should you be doing after we know what not to do? There are three other insertion points that have way better conversions. Let’s talk about them. One of them is at the moment of account reset. Why? You try to log in and get in and out. We’re now telling you your password is not what you think it is. Go change it. So you are already not doing what you were thinking about doing. And now I can give you a message that says, “Are you tired of setting passwords here?” Hopefully it’s not your first time. “How about going passwordless?” And then you have a moment of, yeah, you know what I am tired of that. So that is the best. It will not affect your login because many marketing people say, “Don’t put it in login because we…” It puts you in the moment that the bank is actually not doing so well. This is a bad moment in the journey. So that’s the first place to think about it.
The second place to think about it is at the settings. So people go to account profile settings every now and then, not every day. And in there, you can say, new, move to passwordless. Now, if they’re already in settings, they’re about to change something. They’re either in the right mindset to explore things. So that’s the second-best place to put it.
And the third, which again I know is not going to happen this year, but if you’re listening and you have some power in your company, try to add the passwordless at account creation. Do not force it, but give it as a better shiny confetti moment, go passwordless and never have to use a password.
You said something before, Yvette, that is very useful right now. So let’s go back to it. When we did the research of which age group this would appeal to, again, we were all wrong. We thought the gen Z guys will say, “Hey, no password, that’s cool. I’m doing it.” No, no, no, no, no. 55 plus. Why? Because I can’t remember anything now. Sorry, I’m getting to that age group. It is resonating.
Yvette Bohanan:
Maybe we’re just sick of it after 30 years and we know better. How about that?
Ori Eisen:
If you put it into the account opening where, here, select your password and select another one that matches, you already know how that’s going to go, but that other road is like passwordless. The benefit there is you’re doing it at a moment where I am expected to do some work. It’s not like in and out. And I may set up this account forever to be passwordless for me as the bank. Why is it good? Because if you only add passwordless, but you keep the password, let me tell you the bad news, the bad guys will still harvest the password somewhere and get in because you didn’t make it mandatory to use passwordless. So it’s like you have the bronze level key and the gold key, and you can use either one. So guess which one the bad guy would use? The bronze. That’s the issue with that.
Chris Uriarte:
Yeah. This is similar to some research that we’ve done in the last couple of years when we were working with some of the large card networks looking at the adoption of biometrics for 3D Secure authentication. And what we just found is it didn’t matter whether an issuer supported biometric authentication or not is consumers are just happy with what they had. They don’t really care whether one time there were all these flaws with SMS one-time passwords and all these challenges around that and how they’re certainly not as secure as biometrics. Motivating the consumer to make that change from something that they’re complacent with is a very, very difficult thing to do.
So I love your suggestions because they’re really practical, right? You’re essentially prompting the consumer at a point where they already have to take some action, whether it’s the account creation or the reset, or as you have said, they’ve made a decision to go into their account setting so you know that they’re in their thinking about something. That certainly seems like an opportune moment to prompt them with this. And I think the other message that you’re really stressing is that there’s not a silver bullet here. You shouldn’t expect that you’re going to roll this out and somehow, somewhere or someday, 75% of your users are going to convert to this. That’s not going to happen, right?
Yvette Bohanan:
Let’s say you implement passkeys and let’s say we get to a point where it’s a little bit more normalized, people understand it, there’s some adoption going on. Is there still an authentication risk that we’re trying to control or has this shifted to something else?
Ori Eisen:
I don’t want to call myself a futurist, but I do think about the future and we’re now getting to the point that we hope we would have 10 years ago. So in some of our implementations, we have arrived there. People put it in, and now we are realizing this, which is why I would love to go deeper in this conversation to even if you implemented passwordless, you now have one more thing to solve to perfect it, which is identity verification. And I’ll explain why.
In an imaginary company, say that everybody’s using either a hardware FIDO token, think about employees, just to simplify, you can’t log in without it. So that means phishing should go down to zero. And again, I’m winking at a specific case, and life should be good, right? From an authentication perspective, add it. But let me tell you where the new hole emerge and what guys on the other side do, especially with GenAI. Yvette, you’ll play the head of it help desk at the same company that does not let any employee log in without their hardware key. And you’ll get this phone call from me. “Hi, Yvette. This is Ori. I work here. I’m going to trip and I lost my bag with my computer and key and phone. I don’t have anything. Could you please FedEx to me computer key and phone to this hotel? I’ll be here for the next week.”
Yvette Bohanan:
Sure you are. Sure you will.
Ori Eisen:
Is that an authentic… Well, I’m a VP here, Yvette. [inaudible 00:38:32]. We have a board meeting, right? So as you can see, the problem has just shifted from it’s not about authentication because all the credentials I’ve armed you with are gone. So I’m back to wait, wait, are you Ori Eisen or not?
Yvette Bohanan:
It’s identity.
Ori Eisen:
That is the next step. So I just want people to think, even if we all move to passkeys today, which I hope we will by the way, and it is a panacea of sorts for phishing and a lot of things that we’ve seen in the past… My mom would not be able to give her password to anybody if we only use passkeys, okay? Which is amazing. But nothing stops you from social engineering the bank to say, I am Yvette and if I can make good-looking driver licenses now with Midjourney and then it looks like it, we are then losing the very fabric of knowing who is the true identity on the other end, regardless of the credentials. The credentials and authentication of just the proxy to who the user is that I should allow you with permissions. So if I rob you from that, what am I left with? An identity verification problem?
And for that reason, what I spend my days on now is I still do passkeys, I still do no passwords, but I also know now that when we get there to that promised land, we are now facing with the original sin. You remember that cartoon with the two dogs on the internet no one knows you’re a dog? We’re back to 1993, Paul Steiner, the New Yorker, because we still need to know who to give the golden key to. That’s where we are.
Yvette Bohanan:
What do we do?
Ori Eisen:
I can tell you what I do and it’s after being here on this farm for a long time. I don’t want to sound like an alarmist, but I just want to speak like a practitioner and talk about facts. Again, you can later reach… People want to say, “Hey, I want to talk to this guy.” Give him my email so we can have a practitioner conversation. Because of data breaches, you can get my name, my address, my social security number, probably most static data about me and you and Chris. And if you’re listening, about you too. It’s probably available at this point. Just take a deep breath. The horse is out of the barn. We cannot bring it back in. Anything you do on identity verification that is based just on data, on text that could’ve been stolen or copied or phished, I think the answer by now, that you don’t really know, is it Chris or not?
We’re on the logical philosophical level. This has nothing to do with vendors. It’s just that’s where we are. If the key to my account is knowing my birthdate, if the key to my account is to know my mother’s maiden name, it is getable. That’s it. Period. Has been for a while by the way.
Yvette Bohanan:
It is. Yeah, absolutely.
Ori Eisen:
So let’s take static credentials and static text out. Can’t solve it there because otherwise I’ll give the golden key to the wrong person, to your evil twin so to speak. So okay, if you drive home today and you speed, a policeman would stop you. What will they use to establish that you are who you say you are? You’re ID. And I don’t know that there’s anything better than that. We don’t have chips implemented in people’s minds and we don’t have that barcode imprinted on us the day we were born. That’s still in fantasy land in Hollywood. But I think if we mirror that into the internet world, we will see that for you to present yourself as you you need to start with a government issued ID because prior to that you’ve had to show yourself somewhere. So there was an in-person identity proofing, going back to the next level four or IAL 3. And now the only question is, am I looking at the thing that is real authentic, not counterfeit? You see how we’ve just reduced the problem to, okay, it’s a documented claims, it’s you, but now I don’t know if it’s real or not.
So today there are databases. Yes, they cost money. And you’ll see it, Yvette, in every post I say, because people say, “Oh, I love what you’re saying, but it costs money.” Yeah, it costs money because it’s good, because it’s working, because it’s doing its job. This is not given to us for free. Somebody worked really hard to lay down these tracks. But today we have a solution that allows you to tell a consumer or an employee, use your browser, scan the back of your ID at the front because the front could be easily made with GenAI, and now I have an authoritative source that will tell me, yes, this document was issued by me.
Now, let me explain the bit because some of you might be techies and like, “I don’t understand. How would you know that it’s real or not?” In general terms, the front of the driver licenses in the United States have about 19 parameters, name, last name, eye color, height, sometimes weight, about those things. Unfortunately for us, about 15 of the 19 there are already traded on the underground. They’re gone. On the back of the driver license, in that barcode thing, there’s 11 more parameters that you don’t even know as a consumer. You don’t care about or think about them as check sums of this document that was produced by the authoritative source. And if I send that to them, they can tell me, yep, this is a real document and I have it. Do you see the difference?
All the methods we’ve used today, again, I’m not talking about vendors, this is not a knock, this is about the method, have been using imagery of the front. And then we say, even with AI, does this look like the template of the state? It’s a fraud check. It’s a proxy to the truth. But on the back of that document, there is something that could tell you categorically, is it issued? Is it real? Is it there? Now, the document could be stolen. Don’t get me wrong. But then it’s almost like I lost my cash from my wallet. What should I do? You can’t do anything, you just lost it. So that’s where if we get down to that race and now everybody lost their driver license, I don’t know what else to do after that, Yvette, because that is the last bastion of hope on truth and it has not been breached yet.
That’s what I would do. Because anything else, we can talk about. Selfies, excuse me, if you’re using selfies, you’re just using positive friction. Why? Because if I use Mickey Mouse on my back camera and Mickey Mouse on my front camera, guess what the algo would say? Oh, 99.9% match. It just says that it matched. And then people do liveness tests, which I applaud and I love. But guys, you cannot take all your algorithmic work. Put it on the phone. With bad guys turning on a dime without any org charts, they can do things that you can’t even think about. I can’t expect you to think about because it’s like zero days. So all these things in my mind today are just adding positive friction to good guys to feel that, oh, they’re doing something, but they are not really stopping people from taking down a CFO with $25 million wire. That’s where we are.
Yvette Bohanan:
So now you’ve touched on the CFO wire GenAI world.
Ori Eisen:
It’s not a theory anymore.
Yvette Bohanan:
It’s not a theory anymore. And I do watch what you’re posting and I watch… We’re going to have someone else on talking a lot about what’s going on on the dark web too, who monitors it quite a bit. That’ll be a future guest on this series. But I think there’s certain power couples in technology that do things that you can’t imagine. And when I think about the future power couples, it’s GenAI with quantum, which is a little bit further out there. So we’re here with GenAI. We’re here with the deepfakes at this point. And we’re, depending on who you talk with, there’s a lot of opinions about this, but just say anywhere from five to 15 on the long side of quantum, depending on how fast we can make chips and stuff.
You said it’s like… We have something right now. We don’t know what we’ll have later. How do people prepare? Let’s throw back the time clock and say, instead of where I’m at today in my career, I’m a new person in this space and I’m 28 years old, what should I be thinking about for the future in terms of helping the company that I work for?
Ori Eisen:
So again, we’re going to keep it on the practitioner level, talk about the philosophy of risk management and the methods. It has nothing to do with a specific vendor or product. This is just about how we fight wars because you read Sun Tzu, The Art of War. A lot of what we need to think about is already there. It’s 3000 years old and it still works. Why? Because it’s how you prepare for battle. So let’s talk about that.
Let’s first start with the bad news. What will disappear assuming quantum shows up tomorrow in spades? The one thing that will disappear from our arsenal is any work that has to do with computation that is provable. Let me be more specific. If we’re using today two prime numbers, multiplying them, and our assumption is, oh, it’ll take a hundred years to find out the pair, with quantum, you can shrink that to a minuscule number. But the key in that is that the quantum will know it has figured it out. Do you see the difference? I’m going to describe the second world in a second, but in this world I know and I got to the right answer. It’s not a brute. The brute force happens, but you know, ping, this is the one. Okay? And then you…
Yvette Bohanan:
And you stop it?
Ori Eisen:
… and you stop. Okay? That is what will be. So if you think about PKI and RSA certificates and all those things for HTTPS, unfortunately there’s an end to that because we will now have all the permutations really, really fast. So boom. It doesn’t matter who is the certificate authority. You see, that’s why it’s not about vendors. It’s about the method.
Let me tell you what will not disappear because of quantum. Quantum, listen carefully, put on your seatbelt, will not be able to guess the check sum of my driver license without actually hitting the authoritative source because only they have the answer. Do you see the difference? So hear me to say, “Oh, this guy is a fool. What do you mean? Of course quantum can make any length.” No, no, no. It can make all of them, but it’ll not know, like in the first example, that I got it. I will need to try a trillion times at the DMV to know this is… And you can do that today anyway. Okay?
So quantum is not going to rob you from a secret that is fairly long, that is not self computed. But now comes the other bad news. Sorry, but I have to say it. If the entire server form off the DMV is protected with keys that I just told you how they would be cracked, you now know what the next step is. I don’t need to figure out the checks. I’ll just get in there and take them all. That is what worries me.
So we’re 28 and you just heard this, do not quit your job, don’t pull your hair out because it sounds like the sky is falling. The sky will fall unless we now change the keys to the server forms with something that, again, quantum cannot touch. That is what we need to be thinking about. What can I touch? And I can give you some examples of what could it look like and cases from the past. Unfortunately, it’s like what was old is new again. All of our world, with number keys of prime, that quantum can easily cut through like butter, unfortunately, everything right after that layer is gone
Yvette Bohanan:
Is vulnerable. So you can’t look at this. And again, it goes back to you can’t look at this as a one and done on this and you can’t look at it as a single solution or a single layer of protection. And it has to be multiple layers and it has to meet the capacity and the sophistication of the technology available and about to be available.
And there’s nothing that says you couldn’t start implementing those protective layers against this. You don’t have to wait for quantum to be here to put these controls in place. I think that’s the one point here. And I’m going to go back to what we’ve been hitting on in this last hour, which has been really fun. It’s hard to have fun talking about risk management, but you are able to do that. So thank you.
The interesting part to me is we’ve been talking about the mismatch between the technology being available, the implementation of the tech by the fraudster, fraud rings, whatever criminal elements, and our ability to keep up. And I think part of this is a reluctance to spend on this stuff because people don’t like talking about it to begin with, especially at the C-suite level. Nobody wants to say they have vulnerabilities. Nobody wants to talk about investing in this stuff that may or may not be beneficial, may or may not hurt good revenue, may or may not… So we fall behind. And then, because we’re in a complex world with regulations and a lot of stakeholders and payments and finance, you end up taking forever to get everyone implemented and educated.
So part of this is you don’t have to wait for the fraudsters to have the technology before you react. The change management and the controls can go in early. And actually, it’ll cost you less a lot of times if you do it this way, I think, just because you’re not also fighting the problem and incurring the losses while you’re trying to put something in place. So that, to me, is pretty intuitive, but maybe not to some people.
Ori Eisen:
I think CISOs, chief information security officers, for the longest time have been technical people with technical chops, like semi-white hackers, because they understood the stuff. I think the CISO of the future will have to blend in the C-suite in a different way. Not in a technical capacity, but in a way to look at the chairman’s eyes and say, “If you can’t think 10 years out about what I’m just telling you and prepare for it, it doesn’t matter what I know or don’t know or my team can. It doesn’t matter. What matters is that we’re not matching the attack velocity at us with our budget.” And that is a very different skillset than knowing bits and bytes. That is a skillset that unfortunately salespeople have and marketing people have, and it’s how do I get the right education to get the budget in a way that doesn’t look like… The minute we need to have budget cuts, that’s the first thing that goes away, which is unfortunately what’s happening.
Yvette Bohanan:
Well, and I’ll go back to your comment about, well, this is going to take 13 seconds extra and cost $13 million or 10 seconds for 13 million, whatever it was. There’s a difference between not wanting to lean into a problem to solve it and wanting to lean into a problem and solve it. Right? So first of all, you have to believe it’s a problem we’re solving, but if that 10 seconds per call is too expensive, there are smart people on a team usually that can figure out a different way that’s less expensive.
Ori Eisen:
If you think education is expensive, try ignorance.
Yvette Bohanan:
Yeah, exactly. I love that one. That’s exactly it. And there’s also ways to put everything into the equation. So it’s 10 seconds more per call maybe for a certain select group of people calling in to start, but you’re also, on the other end of the spectrum, not getting the negative calls in anymore. So at some point you start to turn the tide, if you will, on your expense line. Like you said, there’s a lot of techniques to deal with expense and budgets and stuff like that, but it goes down to leaning into the problem or avoiding the problem.
Ori Eisen:
I’ll give you one idea that we tried once, and I still don’t know why it did not catch fire and says, oh my God, this is the way to do it. I’ll give you the example. You’re go into a large company and they say, “Oh my God, it’s going to cost us so much.” And you say, “Oh, you know what, you’re right, but how about let’s do this. You and your own records have the people who have been phished before because you had to spend five minutes on the phone to recredential them, and that was okay for you. Right? So why don’t we take every future call of that kind because it’s no longer 10 seconds on every call and add the new technology there, and then let’s do a study for six months to say, do they have revitism? Do they come back to us?” And guess what? You can use that as your pilot, as the test sample to take it to the C-suit, say, “Look, on this 1% of our calls where we already had a problem and we gave them this new drug or this new treatment, they’re not coming back.”
So do the math on, it’s almost like use and don’t let a good crisis go to waste type thing. Need work like magic, but it didn’t catch fire in other organizations to say, we want to do it because still doing it with the group that is suffering means time and pilot and measurement and paying. It’s work, right? But I just want to know if you are daunted by, I need to change everything at once, don’t. Actually start with the most acute problem. Test it there and then you’ll have numbers to justify why should we do it for all.
Yvette Bohanan:
Figure out a different way to triage and then go from there. Absolutely.
Well, Ori, Chris, that special time again where we have to say goodbye. This has been a delightful conversation, a very hard conversation, a very maybe at moments frustrating conversation for some people, but delightful to be able to catch up with you and hear about what you are seeing in your vantage point in this really, really important space. And it’s important to everyone. And when I say everyone, I do mean everyone with the capital E, everybody. So thank you so much for sharing your insights. I really appreciate it.
Ori Eisen:
Thank you for having me.
Chris Uriarte:
Thanks, Yvette. Thanks, Ori.
Yvette Bohanan:
And Chris, it’s always a pleasure catching up with you from-
Chris Uriarte:
Always a pleasure.
Yvette Bohanan:
… one end of the continent to the other.
Chris Uriarte:
For sure.
Yvette Bohanan:
And for those of you listening, take heart, share the best practices, keep the faith, and stay tuned for more conversations on all sorts of payments related topics and as we develop this series on where we are with authentication and identification. Take care everyone. Keep up the good work and bye for now.
If you enjoy Payments On Fire, someone else might too. So please feel free to share this podcast on your favorite social media outlet. Payments On Fire is a production of Glenbrook Partners. Glenbrook is a leading global consulting and education firm to the payments industry. Learn more and connect with us by visiting our website at glenbrook.com. All opinions expressed on our podcast are those of our hosts and guests. While companies featured or mentioned on our show may be clients of Glenbrook, Glenbrook receives no compensation for podcasts. No mention of any company or specific offering should be construed as an endorsement of that company’s products or services.