What does Railway Time tell us about standards in bank security?

This is a contributed piece by Thomas Bostrøm-Jørgensen CEO of Encap

Industry standards can undoubtedly be a force for good. In the UK, prior to 1840, each town had its own local time, usually determined by a sundial. Each town being on a slightly different time meant that designing train timetables was tricky. The time difference between London and Oxford (five minutes) and Leeds (six minutes) could be the difference between catching a train and missing it.

To answer the problem “Railway Time” was invented, and thanks to the new telegraph wires transmitting at the speed of light, synchronising clocks was possible. By 1855 almost all towns and cities used Railway Time, now called Greenwich Mean Time. A problem solved by standardisation.

But before declaring standards a universal good, it’s worthwhile to look carefully at the timeline. Standards here were a result of innovation – without the telegraph, synchronising these clocks would have been impossible. And the standard was adopted because it made sense. A universal time was more useful to people and businesses than one based on a local sundial. The move to standardisation didn’t occur because a Time Standards body was created to promote the idea.

It’s something that those promoting standards-based approaches in bank security – especially authentication - should heed. Organisations such as FIDO Alliance and the GSMA with Mobile Connect are on a mission to change the nature of access to digital services by developing specifications that define open, scalable and interoperable sets of mechanisms that reduce the reliance on passwords to authenticate users. FIDO and Mobile Connect are both pushing a standards-based approach, but is this the right approach?


The mobile payments parallel

It’s instructive to look at more recent examples of approaches to standardisation. Mobile payments are taking off in some countries more than others – is having a standard approach helping drive adoption?

Not really: the biggest success story of mobile payments is undoubtedly M-Pesa. Transactions made using M-Pesa in Kenya are valued at around half the country’s GDP. In Tanzania the service boasts more than five million users. Since its launch the service has expanded to Afghanistan, South Africa, India and most recently Eastern Europe. M-Pesa has been widely praised for giving millions of individuals access to financial services, and it gained widespread adoption because it works and does not require major technology or consumer behaviour changes. M-Pesa’s position as a proprietary standard has no bearing on this.

Elsewhere NFC, the tap-and-pay mobile payment standard formed in 2002, has failed to gain significant traction despite vested organisations throwing millions of marketing dollars at the problem. Businesses and consumers opt for technology that is proven to work and is widely adopted because it reduces complexity.


Simplicity and utility will win out

A standards body in 1840 demanding that everyone in Leeds change their clocks by six minutes would have had limited success. However, people willingly signed up to the standard because it made life more convenient for them – they knew they would catch their train without going from local time to railway time.

Similarly, app-based payment services show that simplicity and utility are the drivers in the industry – proximity isn’t a necessity and there is more required to boost the adoption of NFC than reducing queue times. NFC payment options such as Apple Pay and Samsung Pay based on standardised approaches are struggling for user adoption. Recent research from First Annapolis found that only 15% of registered Apple Pay users are using the service on a regular basis.

But what does railway time and mobile payments mean for the FIDO and Mobile Connect? These standards bodies may be putting out big numbers – FIDO certifies 150 products; Mobile Connect available to 2bn people – but these tell us nothing about actual adoption. The view, that global interoperability of standardisation will work and should be widely adopted by users, is often only valued by those with vested interests - such as associations like the GSMA and FIDO or network players including Visa and SWIFT. Instead, we should be standardising after widespread adoption, once we know what truly works.


Standards don’t equal success

Ultimately, standards don’t mean success. They are usually a red herring when it comes to evolving authentication technology for the benefit of all stakeholders – rather than a few.

Proprietary solutions – particularly biometrics and other device-based approaches - are where most of the progress and critically adoption can be seen. A great example of this is HSBC’s recent announcement that voice recognition technology would be used to authenticate 15 million consumers – all without standardisation.

On the other hand, there is currently little, if any evidence that FIDO or Mobile Connect standards are being deployed with the user in mind.

We know that better authentication needs to be widely adopted, in every sector – no matter how often we declare the password dead, it still stumbles on, zombie-like. Once the password truly is dead and better authentication solutions are widely adopted, only then it will be useful and necessary to define the authentication equivalent of Railway Time.


« Salesforce's long boom makes it cloud apps distance leader


Infosec lessons in Manchester United's bum bomb bungle »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?