Strong Customer Authentication: The Security vs Accessibility debate highlights the need for deep solutions
This Monday sees the introduction of the requirement for online merchants in the UK to operate a form of“strong customer authentication” (SCA). Originally planned for before the pandemic, the implementation has been delayed by years to allow merchants the chance to get ready. Some still won’t be — and as a result many consumers will have some online transactions declined.
What is SCA? In short, more transactions will require a secondary method of verification, such as a code sent via text, in order to complete the transaction. The purpose, according to the Financial Conduct Authority (FCA) website is:
“to reduce the risk of a fraudster pretending to be you to steal your money”.
This is a tale as old as time. Additional, burdensome, measures introduced “for protection.” But I don’t want to talk about general freedoms. This is yet another friction in accessing day to day life (see my pieces on why these are so damaging here and here).
I want to explain briefly not so much why this is a friction that will damage disabled people (I’ll give that a simple paragraph) but why it is symptomatic of a wider problem we have as a society — the failure to invest in and find deep solutions to problems, meaning that the solutions we do find end up being inadequate patches that end up excluding those who are already most vulnerable to inequality.
First, the nature of the friction. Extra steps in themselves cause extra friction. For some people, especially those with executive dysfunction, or whose condition includes a cognitive impairment, or exhaustion, this in itself can mean that some things that would otherwise be possible are tipped into being impossible. More things become possible only at times when energy levels are at their highest, or meds their most effective, meaning payments and opportunities may be missed for no good reason. Other things will be possible only when a carer is present (for those lucky enough to have access to a carer) — meaning that people who already have less autonomy than most are stripped of part of what remains.
All of these things will mean widening inequality — less access to opportunity; more likelihood of problem debt; less access to cheaper payment options; less autonomy; less self-esteem; and the knock-on effect of each of those.
I don’t think many of us would say security is a bad thing. The question is rather — given the years we’ve had to implement new levels of security, why has there been so little focus on finding methods that are not only more secure, but do not limit accessibility? The FIDO Alliance, for example, is doing great work on this, but it is largely if not completely ignored in the UK.
I want to answer the question by pointing to another similar issue. Single use plastics. Single use plastic is bad for the environment. That’s not controversial. What is less obvious is why the world has by and large responded by banning single use plastics and considering the job done — leaving disabled people who need single use straws, for example, with their horizons shrunk or, at best, their autonomy reduced as they now have to disclose medical information and experience the anxiety of doing so in order to make a special request. (For more detail on the straw debate, see my piece here).
Looking at the response to disabled people’s comments illustrates one key reason for this approach. Many people say, “can’t you just use…” and come up with an alternative to plastic straws that fails to do what is needed. That is to say, many don’t understand disabled people’s actual needs. They assume that our needs are the same as theirs, see that theirs would be met with an alternative, and assume ours would be too.
Society, that is, has an empathy problem. People assume our needs as disabled people are the same as theirs. They assume therefore that a solution that works for them will work for us. So they fail to invest in deeper solutions to problems — in the case of plastics, investment in materials research, for example. Because they don’t see the need.
When it comes to SCA, they understand that it’s an inconvenience. But they fail to go beyond that. They genuinely see it as a shared inconvenience between us and them, and believe that the search for a solution that does not create the access needs outlined above is unnecessary — or worse still amounts to “special treatment” that’s unwarranted because “we’re all struggling.” They also fail to see that when a large proportion of the population will be disabled at some time in their life, this is also both a wider economic problem, and a problem that could affect them.
So what’s the answer? Well, we need regulators to take a lead on SCA. The FCA has strong guidance on vulnerability. “We want vulnerable consumers to experience outcomes as good as other consumers and to get consistently fair treatment across the sectors we regulate,” the say. But when it comes to SSCA they fall back on the tired and lazy “minimizing disruption.”
Because at a fundamental level they, like the rest of society, believe two things:
- “Accessibility” is about people who are “in trouble.” It’s not about people accessing life enriching experiences. It’s about people in problem debt, not those wanting to make a luxury purchase. This is the same logic that means lecture theatres will provide step free access for the audience — but not for professors doing the lecturing. The irony, of course, is that the inequality created by this assumption is what makes it more likely to be true.
- Friction is, at heart, a matter of convenience. It’s about user experience not about accessibility.
Unless we change these two preconceptions, and as a result see the need for investment in deep solutions to problems that really work for all, inequalities will continue to widen and the regulators who could have changed this will continue to scratch their heads and wash their hands as to why.