Reflections on RSA Conference: Vendors Stepping Up to Challenges of Strong Authentication for Mobile Users

In spite of pre-conference concern surrounding the roles information security (Infosec) technology providers like RSA play in the scheme(s) of government surveillance programs, the RSA Conference drew close to 30,000 people to (in the carefully chosen words of the conference organizers "Share. Learn. Secure." It certainly was a learning experience for me: one that started with a panel of CISOs (Chief Information Security Officers) discussing the challenges of balancing the appropriate level of security to mobile devices, apps or content without greatly inconveniencing mobile users or busting the budgets allocated for technology that must now protect enterprise information and facilities from physical entry, denial of service attacks, advanced persistent threats, malware and all forms of unwanted access.

As a strong proponent of biometrics-based authentication, especially the use of voiceprints for mobile access, I was gratified to observe that the infrastructure, protocols and business processes are coming together to make simple, secure and trusted mobile access more accessible to business enterprises. Two development and marketing initiatives drove home this point. The most dramatic was the high-profile progress that the FIDO Alliance was able to demonstrate when comparing this year's RSA to last year's. It's hard to believe that FIDO (Fast ID Online) was just making its debut to the world in February 2013. Its founding members included voiceprint specialist Agnitio, semiconductor manufacturer Infineon Technologies, computer maker Lenovo, security software infrastructure provider Nok Nok Labs, PayPal, and sensor maker Validity.

Barely a year later, at RSA Conference 2014, FIDO Alliance held an awareness raising event in which it could brag nearly 100 members, including a Board of Directors that includes representatives from Google, MasterCard, Discover Card, Bank of America, Microsoft, PayPal and RSA. It could showcase real world implementations of its "simpler, stronger, authentication." Even more importantly, when it hits the century mark, most of the new alliance participants will be regarding the two FIDO frameworks (UAF or "Universal Auth Framework" and U2F for "Universal Second Factor") as de facto, industry-initiated standards for either replacing or augmenting "username/password" as the predominant authentication method for mobile devices as well as computers. The magic words involve members' agreement to "share technology and collaborate to deliver open specifications for universal strong authentication." They have made great strides.

While walking the exhibit hall, it was pretty clear that Identity and Access Management (IAM) represents a small percentage of the floor space. Those linking biometrics to IAM are fewer still. Yet the need for a simple way to secure mobile devices, apps and content is causing both the security and IT community to look more closely at their alternatives. I was particularly impressed by the technology provided by Mocana, which positions itself as living at the "intersection of security, mobility and the Internet of Things." That's a bold statement, but its core new offering is the Mocana Atlas(TM) Extended Enterprise Engine. As the product managers described it to me, it sounds like a core, missing piece to the security dilemma that BYOD (Bring Your Own Device) has introduced to the enterprise IT ecosystem. 

Mocana's approach secures individual mobile applications in a way that is indifferent to the mobile platform in use or the nature of the app itself. Enterprises install a highly-scalable, purpose-built security appliance on their networks and it establishes a protected link between enterprise systems and databases and the apps running on mobile devices. To prevent the establishment of yet another security system, the protection is established on a "per app" basis. The apps themselves are developed separately from the security infrastructure. As the marketware explains: this approach to Mobile App Protection "injects new security into existing third-party, hybrid and in-house enterprise app binaries... no coding or security expertise required." This "decoupling" of apps for app security overcomes all sorts of fragmentation and shortens the time it takes to launch new mobile apps in the enterprise.

Perhaps most important from a mobile authentication point of view, it supports the existing auth mechanism which, ideally, could be set up with a "Single Sign On" approach for all the MAP protected apps. The enterprise can use the token of its choice, including voice biometrics.

Apple CarPlay vs. Google OAA: The Race for the Connected Car Starts Now

In some ways the automobile is the ultimate "mobile device." And pundits, analysts and prognosticators have been anticipating the rise of "telematics" for 20 years. Finally the "connected car" has finally arrived in earnest. 

While services like GM's OnStar and several others, including Microsoft Sync and proprietary in-dash navigation systems, have offered a promising glimpse into the future of in-car services, Apple and Google will drive, so to speak, the mainstreaming of these experiences. Apple today formally announced "CarPlay."

Previewed last year at the Apple developer WWDC event, the service is rolling out this week in vehicles from Ferrari, Mercedes and Volvo at the Geneva International Motor Show. A wide range of other automakers are also signed on: Chrysler, BMW, Ford, GM, Honda/Acura, Hyundai, Jaguar Land Rover, Kia, Mitsubishi, Nissan, Toyota and a few others.

The CarPlay experience is currently built around calls, messaging, music and maps. Siri is also at the center of CarPlay, offering eyes-free control over apps.

While most iOS apps won't be available through CarPlay it will become a new platform that will undoubtedly see modified versions of existing iOS apps and totally new apps specifically designed for the in-car experience.

Users will need an iOS 7 iPhone to participate. More importantly, they'll also need a new car. Thus it will take several years for CarPlay to take hold as a mainstream phenomenon and reach millions of drivers. 

Google has a competing "connected car" initiative modeled on its highly successful Android, "Open Handset Alliance." Called the “Open Automotive Alliance,” it's currently supported by Audi, GM, Honda and Hyundai. Others will probably join the list as Google offers incentives to automakers and pushes for greater reach. 

The in-car market now becomes like the living room -- another battleground in the war of mobile ecosystems.  

Microsoft, which was first of the big internet competitors to market with Sync, is at a disadvantage because of the relatively limited adoption of its mobile devices. The company will now be compelled to step up its investment in and development of Sync, as well as its lobbying of auto OEMs. 

These competing efforts are good news for consumers and app developers and bad news for terrestrial radio, which has so far escaped the kinds of major disruption that other traditional media, save TV, have experienced.  

Mobile Devices Generating 30% Of Global, US Internet Traffic

Data from e-commerce platform ShopVisible's 2013 year in review report argues that mobile devices (smartphones + tablets) were responsible for 30% of all traffic to its e-commerce clients' last year. Mobile devices, however, drove far fewer e-commerce sales (15%) compared with their traffic percentage. 

To determine how representative of the broader market these ShopVisible figures were I consulted StatCounter. That site confirmed that 30% of traffic in the US market is now coming from smartphones and tablets. The percentage is nearly identical globablly. For retailers and those in the "local" segment, the percentages are 10 or more points higher. 

Statcounter mobile traffic

Source: StatCounter US platform traffic comparison

Europe's mobile share of traffic is lower, probably because of slower Eastern European smartphone adoption. According to StatCounter below are the relative percentages of internet traffic by platform (rounded): 

US market

  • Desktop: 70%
  • Smartphones/mobile: 21%
  • Tablets: 9%

Europe 

  • Desktop: 80%
  • Smartphones/mobile: 13%
  • Tablets: 7%

Globally

  • Desktop: 72%
  • Smartphones/mobile: 22%
  • Tablets: 6%

Yesterday the Pew Research Center put out a survey based report (1,000 US adults) that reflected on the 25 years of the internet since Tim Berners-Lee wrote his seminal paper about a distributed network of computers and documents linked together by “hypertext.”

Here are the high-level US data from that report: 

  • Computer use: 81%
  • Mobile phones (all types): 90%
  • Internet use: 87%
  • Smartphone ownership: 64% (others say 65%) 

We can anticipate that smartphone ownership will eventually approach 100% of the mobile population. That may take three to five years however. In the near term we'll see 70% smartphone ownership (at least) by the end of 2014.

An increasing number of smartphone and tablet owners prefer or use those devices first vs. PCs. However the majority of e-commerce transactions (not counting things like restaurant reservations and Uber payments) are likely to continue to take place on desktop computers. 

The conversation about the role of mobile vs. PCs shouldn't be an "or conversation" it's an "and conversation." 

Amazon Top Mobile (and PC) Search Advertiser for January

AdGooroo, a division of Kantar Media, last week released data on the top mobile search advertisers in the US, UK and Australian markets. The data represent the month of January 2014 and are based on impressions triggered by the top 50,000 search keywords. 

These data are drawn exclusively from Google and Google AdWords. The chart below reflects the top 20 mobile AdWords advertisers. 

http://www.adgooroo.com/wp-content/uploads/2014/02/Top-Mobile-Search-Impressions-AdGooroo-Jan-2014.jpg

The list can be seen as a mix of telcos, financial institutions and retailers essentially. Compare the impression gap between Amazon and BestBuy and the rest of the group for that matter. 

As part of its analysis AdGooroo compared mobile search rankings on the PC and smartphones. Amazon turns out to be the top paid-search advertiser on both platforms. But there were a number of gaps between PC and mobile rankings/performance. For example, WellsFargo "ranked #9 in Mobile Search, with 11.5 million impressions, but 137 in Desktop/Tablet Search, with 12 million impressions."

There were a few advertisers that saw more mobile than PC search impressions. But equally there were advertisers, such as Wal-Mart and JCPenney, that ranked well on the PC but not as well in mobile search results. 

As of last year Google began compelling marketers to buy both PC and mobile search campaigns and set the PC bid as the floor, as a practical matter, for the campaign. Mobile bids can be adjusted up or down, depending on a number of variables including location. In other words marketers can specifiy a premium they're will to pay to get in front of smartphone users within a certain radius from a business location.  

Informally this week a Google employee at a conference dropped a bomb, saying that mobile search was projected to exceed PC search traffic by the end of the year. This was a casual remark as I understand it and not necessarily an official Google statement. In addition, I heard it second hand so I don't have more context to share. It's not clear what's included in "mobile search" query volume here (i.e., Maps, mobile web, apps)? It's also unclear whether this is US only or global projection.  

Webinar Today: Join Aisle411 and iInside for Indoor Case Studies

At 1pm Eastern/10 Pacific today we'll be hosting a new webinar: Indoor Location - Early Adopter Case Studies and Lessons Learned. It will feature Aisle411 co-founder Matthew Kulig and iInside EVP Jon Rosen. The emphasis is not on theoretical information but on what's actually occurring in the market -- today.  

Rosen will be talking about B2B case studies from current in-market deployments. He's going to cover:

  • Retailer KPIs
  • Measuring the impact of operations, merchandising and marketing on customer behavior in a specialty retail context 
  • Using indoor analytics to benchmark online marketing campaigns
  • Optimizing checkout selling in a grocery context
  • Using indoor analytics to measure and address showrooming 

Kulig will be discussing B2C cases, including the following:

  • Indoor app-based search and ad CTRs
  • Retailer monetization through branded in-app advertising
  • Location and intent based recommendations in store apps  

I'll be offering a general overview of the state of the market and offering attendees a free copy of our recent "Mapping the Indoor Marketing Opportunity" report (only available to real-time attendees). 

The webinar will be eye-opening and instructive to indoor neophytes and those with even considerable knowledge of this emerging market. Register now and show up later today.  

Bridging the WhatsApp-Facebook Advertising Chasm

WhatsApp may cross the threshold of a billion users later this year. The first year is free, thereafter it costs $0.99 per year per user.

If we assume that every one of those hypothetical billion users starts paying $1 per year. The company would bring in an additional billion dollars in revenue to Facebook, which just purchased (subject to regulatory approvals) the company for $19 billion in cash and stock. 

While many are arguing that WhatsApp was not expensive by some standards (cost per user), Facebook will over time be compelled to justify the acquisition by making money off of it. And that doesn't just mean fee-based revenue.  

Facebook CEO Mark Zuckerberg and WhatsApp CEO Jan Koum have very different views about privacy and advertising. The Wall Street Journal sums those up nicely in an article today:

The men are divided by more than differing approaches to making money. A legacy of his childhood in Ukraine is Mr. Koum's emphasis on privacy: WhatsApp doesn't collect any personal information other than a mobile-phone number and address book, and it wipes out messages shortly after they are sent . . . Mr. Zuckerberg, by contrast, has riled users by changing Facebook's privacy settings in ways that some thought exposed more of their personal information more widely.

Koum doesn't trust or like advertising; Facebook lives and dies now by the growth of its ad revenue. Something's got to give then. 

Either Koum and WhatsApp will bend on privacy, data mining and ads or there will need to be some accommodation to Koum's positions. That compromise could come in the form of opt-in SMS-style marketing.

Companies such as Placecast and other SMS-based mobile marketing firms use double and triple-opt-in systems to ensure that users consent to receive marketing messages from brands and retailers. This kind of permission-based (including loyalty) marketing could be a way around the conundrum for Facebook and WhatsApp.

The market will expect Facebook to monetize WhatsApp usage at some point in the future. Subscription revenue will probably not satisfy investors because of the perceived, larger marketing opportunity. Less intrusive, permission-based SMS-style opt-in marketing could be a way forward for the two companies.  

TruePosition Acquires Skyhook Wireless, Bolsters Indoor Location Services

Location technology provider TruePosition has acquired Skyhook Wireless for an undisclosed sum. Skyhook Wireless provides location positioning and gathers contextual data on consumer mobile behavior. The company has also been involved in multiple lawsuits accusing Google of patent infringement and unfair competitive practices.

Skyhook was founded in 2003 by Ted Morgan and Mike Shean to map wireless access points but has since expanded solution offerings focusing on mobile consumer behavior and associated analytics. Recently, Jeff Glass, formerly with mQube and Bain Capital Ventures, was named CEO.

Cellular location company TruePosition, a subsidiary of Liberty Media, is mainly focused on public safety applications for indoor location technologies including locating emergency callers and protecting borders and infrastructure. The acquisition bolsters the product portfolio of both companies by leveraging their complementary technologies, according to the press release about the acquisition.

“Skyhook's commercial focus balances TruePosition's safety and security strengths, and their location technology further strengthens TruePosition's ability to accurately locate mobile phones indoors,” said Steve Stuut, CEO of TruePosition, in the statement.

Skyhook's lawsuits against Google, the first of which was filed in 2010, claims Google interfered with its relationships with two hardware manufacturers, Motorola and “Company X” (Samsung). Google has consistently insisted it has done nothing improper; the legal battle is expected to go to trial sometime this year.

Mobile Ordering, Payments Coming to All QSR with Job Losses to Follow

Fast-Food (QSR) chain Taco Bell will soon offer mobile ordering throughout its US locations. Sibling chain Pizza Hut, Chipotle Mexican Grill and others have already implemented mobile ordering.

Very soon thereafter, if not simultaneously with mobile ordering, will come in-app mobile payments. Later we'll have in-store mobile payments as well. 

All QSR (and Fast Casual) restaurants will eventually offer mobile ordering and payments. OpenTable is in the process of trialing mobile payments in its fine-dining oriented app. That will represent a radically improved customer experience and improved security as well (unless these databases get hacked). 

A mobile ordering and payments-enabled app makes sense for QSR for many reasons. Adoption by chains will be driven in part by competitor rollouts of these capabilities. But another compelling reason will be consumer loyalty. App users will generally become more loyal and frequent customers; app-based ordering and payments will form the core of loyalty promotions. The data can also be used for mobile advertising and retargeting purposes. 

JiWire Q4 

recent report from JiWire showed how mobile (and apps in particular) were more influential than the PC internet in driving consumer purchase decisions in the QSR and fast-casual dining segments.   

Within three years we're likely to see the US QSR industry transformed by mobile ordering, payments and mobile loyalty marketing. In general all this will mean a better experience for customers. 

The "dark side" of these developments, however, will be the inevitable elimination of thousands or even millions of low-paying cashier jobs. That trend will later come in mainstream retail as well.

According to the US Bureau of Labor Statistics cashiers and retail salespeople constitute just under 6 percent of total US employment. But it's the largest single jobs category. Indeed the "bottom of the market" will be automated in the near future -- largely through smartphone apps. Only legacy software systems and perhaps union resistance will delay the trend. 

When customers in QSR restaurants can order or pay more quickly and efficiently through their phones (with stored credit cards) fewer cashiers and related employees will be required. This will also be true in Fast Casual restaurants. Where once you needed four wait staff perhaps now you'll need two or even one person. 

Media Still Fixated on 'Surveillance' Angle of Indoor Location

There are two themes running through most of the coverage of indoor location: gee-whiz technology and NSA-style "surveillance." While both approaches have generally been good for the sector, which has gained visibility accordingly, the "surveillance meme" is both unfair and largely inaccurate. 

In the general debate over consumer behavior tracking and data-centric targeting the "offline world" has largely been ignored. The practices and data-mining in use there are longer-established, more aggressive and much more shadowy than the online/digital media world. Yet the media devote almost zero attention to that arena because we have lived with it for so long. 

By the same token video cameras have been watching people in retail (and other) environments in the US something like 40 years. That fact is rarely if ever "remembered" or raised in the public discussion of indoor positioning and location. Why, because we're all "used to it"? 

A recent Bloomberg article about location-analytics provider Placed is a case-in-point. The headline emphasizes the more sensational aspects of what the company does (for impact) and the lede ties the project to the NSA scandal: "Tracking Every Move You Make—for a $5 Gift Card . . . Here’s something the National Security Agency might try to ease resistance to surveillance: gift cards." 

I certainly understand the journalistic "logic" behind these choices but they're misleading. Placed has what amounts to a triple opt-in process. Its users, who are offered incentives to share their location, are very clear on what they're doing. It's totally voluntary. But the article only mentions that in passing, "Placed asks users for permission and scrubs personally identifying information before companies see the data." It's more concerned with the data and inferences Placed can discern and deliver. 

That's all fine. But in neglecting to fully describe the opt-in enrollment process, the article fails to adequately represent what's going on with consumers. 

The implication still is that people don't fully understand what's happening or what information is being compiled about their behavior. The article suggests, with its lead, that Placed users, despite their voluntary participation, are still being somehow duped: they're giving up their sensitive behavioral and location information for "a five dollar gift card." 

Why it matters is because people will voluntarily participate in these systems and services when they understand the benefits and how their data are being used. It goes to questions of transparency and consent. Many articles operate under the deeply held assumption that if people understood truly what was happening with their information they would never share it with companies. (That's certainly true in many of the "offline" cases.) 

But when it comes to location and indoor location specifically people will trade their information for tangible benefits or a better experience. This has been shown repeatedly and Placed's panel is just one more example.  

Writing about the mechanics of disclosure and opting-in gets tedius and boring. So does the idea that people will willingly share location for improved in-store experiences or incentives. That's why we're likely to continue to see these "us vs. them" articles for the foresseable future. 

Make no mistake consumer privacy is a critical issue. Indoor location providers, retailers and others need to be highly respectful of that. And there are some who want to make the default consumer experience of indoor location opt-out. But most of the entrepreneurs and companies I've spoken to are very sensitive to and respectful of privacy.

The questions going forward should concern what sorts of experiences and disclosures must be presented to consumers to engage and educate them and gain their informed consent. Indeed, we'll be having this very discussion in much more nuanced and concrete detail at the next Place conference in New York in a panel lead by Jules Polonetsky

Alex and Ani Deploys iBeacon in All Its Retail Locations

Bluetooth iBeacons are definitely the indoor positioning technology with the buzz and momentum (though it's only part of the indoor location story). Today jewelry and accessories retailer Alex and Ani announced that it's deploying iBeacons in all its 40 US retail locations in partnership with Swirl.

Previously American Eagle announced it would also introduce iBeacons into its stores with ShopKick. However the Alex and Ani rollout is already complete. 

Swirl offers a consumer-facing app that adapts or changes depending on the store the customer visits. Swirl is also working with Timberland and Kenneth Cole. Alex and Ani doesn't yet have its own app but later plans to develop one using the Swirl SDK. Swirl installed the hardware in all the Alex and Ani stores. 

I was able to speak yesterday with Ryan Bonifacino, vice president of digital strategy for Alex and Ani. He comes from a venture capital background and is very focused on innovation and data usage. While most retailers and venue owners are still sniffing around the edges of indoor location Bonifacino said that Alex and Ani began testing iBeacons with Swirl in Q1 of last year in its New York and Boston stores. 

That's well before most people had heard of iBeacon.  

The data and insights the company gained during its two-store trial convinced Bonifacino that a full rollout was justified. Bonifacino said he was pleased with Swirl's ability to drive new customers into the company's stores, especially at times when regular foot traffic was generally lower. 

He explained that the new Swirl-driven customers actually spent more time in the store but purchased at levels that were comparable to Alex and Ani's regular customers. Indoor location was also able to provide greater visibility into who these new customers were. 

One of the things that Bonifacino is looking forward to most is the ability to collect data about in-store behavior and to test and optimize merchandising and displays. Beyond this, Bonifacino wants to provide a better in-store customer experience and believes that indoor location can help accomplish this.  

We spoke at some length about Alex and Ani's use of data in its marketing efforts and how data captured in stores would contribute to improving or refining those efforts. Bonifacino, however, was quick to say that the company is highly respectful of privacy and looking only at aggregate customer behavior. 

Alex and Ani also sells its jewelry and accessories through major retailers such as Bloomingdales and Nordstrom. Even though those retailers are separately examining indoor location Alex and Ani is helping educate them, says Bonifacino. The company hopes to use indoor location to promote its products and attract customers to its displays in those larger retail partner stores later this year.