Despite there being a bewildering array of proposed and deployed password replacements it is often unclear whether the costs of any given solution outweigh its benefits. In Cormac Herley’s excellent paper “So Long, And No Thanks for the Externalities”, PayPal’s CISO is quoted as stating that fraud accounted for 0.49% of transaction volume or $290m [1]. Assuming 70 million active users, it follows that the upper bound on the cost of password related attacks for PayPal is $4.14 per user per year. $4.14 corresponds to just 17 minutes of time (assuming users earns twice the US average minimum wage). Cormac states that this loose bound assumes that “users are liable for the loss and can address it by following security advice.”. Let’s pursue that argument a little further.

As a thought experiment, consider a small metallic box that users carry with them. How the box works remains completely unspecified, but its presence prevents all PayPal fraud. Re-framing Comac’s argument, the invention of this box creates $290m of value. The questions that remain are how much of this value can be captured and who is in the best position to capture it? (Clearly a technology that eliminates all online fraud has the potential to create more value than I have assumed. However, growing the pie doesn’t alter the argument given below about who is best positioned to capture that value.)

To answer these questions it is instructive to keep in mind two guiding principles [2]:

1.  Is the innovation (the metallic box) appropriable or will you have to share the profits with many others? (Appropriability is the capacity of a business to retain the added value it creates for its own benefit.)
2. What is the innovator’s relation to the owners of complementary assets, that is, those assets needed to fully realize the value of the innovation.

Solutions that are easily imitated and reproduced have ‘weak appropriability’. An innovation with both low appropriability and lacking substantial relationships with the owners of complementary assets is in the least favourable position to capture the $290m [2]. User authentication schemes proposed in the academic literature, or where the hardware and software is intentional open – largely fall into this category.

Solutions with high appropriability (for example, solution’s with strong protection of their IP or that require specialist knowledge of regulation or certification regimes) but lack substantial relationships with providers of complementary services are exposed to the bargaining power of those service providers. This erodes the value that they can capture [2]. Innovations that create demand for complementary products and services are in the best negotiating position [2]. In general this isn’t the case for user authentication; though banking and payment solutions have the strongest case.

Solutions with weak appropriability and strong relations with service providers can exploit their position through tight integration [2]. This is the position of the FIDO Alliance [5], where integration of FIDO compliant authentication solutions with mobile phones has already happened. In contrast, a FIDO compliant device without the benefit of tight integration requires the user to install, setup and manage separate software applications, this is a non-trivial task for novice users and a high-barrier to adoption. Deployed token-based solutions such as RSA SecureID and VASCO’s DIGIPASS typically demonstrate both high appropriability and strong relations with the service provider. Whilst companies such as VASCO may be established providers for banking and payment applications, they are not be best positioned to provide a more general replacement to passwords due to the range and complexity of the service providers in this space (from mobile phone operating systems providers, manufacturers and network operators to Web-scale businesses such as Google and PayPal).

Whilst I believe the FIDO Alliance is best positioned to tackle the issue of secure, general-purpose user authentication, we shouldn’t forget the old adage: if it sucks it sells. Nothing is going to stop amateur inventors continuing to develop the user authentication equivalents of WinVote [4].

[1] Cormac Herley. 2009. So long, and no thanks for the externalities: the rational rejection of security advice by users. In Proceedings of the 2009 workshop on New security paradigms workshop (NSPW ’09). ACM, New York, NY, USA, 133-144. DOI=http://dx.doi.org/10.1145/1719030.1719050

[2] How Do You Capture Value from an Innovation. http://iveybusinessjournal.com/publication/how-do-you-capture-value-from-an-innovation/

[3] Ben Laurie and Abe Singer. 2008. Choose the red pill and the blue pill: a position paper. InProceedings of the 2008 workshop on New security paradigms (NSPW ’08). ACM, New York, NY, USA, 127-133. DOI=http://dx.doi.org/10.1145/1595676.1595695

[4] Virginia Finally Drops America’s ‘Worst Voting Machines’. http://www.wired.com/2015/08/virginia-finally-drops-americas-worst-voting-machines/