Security should not cost the earth

Andy Kemshall says token-based authentication technology is damaging our planet

HSBC, arguably one of the UK's most recognised and trusted financial services brands, last June rolled out secure key devices for its customers to add a layer of security to its online banking service.

It's not known exactly how much these little plastic devices cost, but they cannot be cheap, and there are additional costs that have to be covered as well.

Token deployment itself can take many months, and so can the marketing and mailings to each customer. Then there are the ongoing support and management and replacement costs.

I believe that about 10 per cent of these physical tokens are likely to fail per year. For HSBC that must mean replacing some 50,000 tokens annually. The typical lifespan is between three and five years.

The cost to the planet from production, disposal and deployment is considerable too.

I believe producing and distributing 4,000 tokens can use up millions of tonnes of CO2, equivalent to many million trees. I wonder if HSBC thought about this, and what if every organisation adopts this physical token technology?

We would end up having to walk around wearing token necklaces.

While it's true that you can't really put a price on security, and we applaud any responsible organisation that looks to protect its customers, we all have a responsibility to consider our impact on the planet.

Yet practically every pocket holds what I consider to be the perfect key: SMS technology.

Most people have a mobile handset capable of receiving text messages. Organisations can easily use this existing mobile technology to replicate a physical token.

You don't need additional software on the user's phone, thus eliminating complex testing, support and training requirements. This is particularly relevant as phone interfaces change with each new model.

A passcode is sent to the user as a text message, turning the mobile into a 'soft' token. I believe soft token authentication can halve ongoing running costs.

And there's no reason why dozens of soft tokens could not be carried on a single device.

If you lose a separate piece of plastic you probably wouldn't notice until you next needed it. But many, if not all, will notice a missing mobile phone almost immediately. I believe this reduces the chances of tokens falling into the wrong hands.

Wouldn't you want to cut your carbon emissions if you had the chance? We would encourage and urge businesses to think about tokenless authentication, which I believe goes a long way towards helping the planet and can be brought to you by a British company too.

Andy Kemshall is co-founder and technical director of SecurEnvoy