Are You Sure You Want to Continue? Consumer Authentication at the Crossroads


Janet Lo, John Lawford


Public Interest Advocacy Centre (PIAC)




This report looks at the consumer experience with electronic authentication. Authentication is the process that is used to ensure that a person is who she or he reports to be. Electronic authentication systems are increasingly widespread in our information society. Authentication systems are often discussed in terms of three factors: something that is known by the individual, something that the individual has, and something that the individual is. Consumers encounter authentication in banking and online retail services. For transactions conducted in person, the most common consumer authentication solution is two-factor authentication by a card in the customer's possession and a PIN that the customer knows. The most common consumer authentication solution for online transactions is single-factor authentication by a username and password, as both authenticators are known to the customer. Some authentication systems add extra layers of security by asking security questions known to the individual. As well, there are an increasing number of portals through which the consumer can access a number of services after a single authentication process. Despite the widespread use of electronic authentication systems in consumer transactions, a number of studies have shown that consumers are still resistant to authentication services and frustrated with the lack of security provided by online bank services and online retailers. In a survey constructed by PIAC, the majority of respondents felt that there were security and privacy risks inherent in online banking and retail transactions. In particular, consumers are concerned about hackers, identity theft, monetary fraud and the loss of privacy. Phishing is a type of attack that targets weak authentication systems. As phishing threats increase in frequency and become more complex, widespread consumer adoption of authentication systems will only occur if individuals trust strong security and privacy protections built into authentication systems. Industry Canada convened an Authentication Principles Working Group to study the issue of authentication in Canada. The Working Group published six principles for electronic authentication in May 2004. These principles have not been updated since, though there have been various international and national government initiatives to address authentication. The Principles fail to provide adequate protection for consumers, as they are too broad to provide guidance for the design and implementation of authentication systems that promote strong security and respect consumer privacy. Secure authentication systems that respect user privacy will boost consumer trust and confidence in electronic commerce. At the same time, authentication systems should be user-friendly such that they are not overly cumbersome for the average consumer.

This document is available in the following language(s):

Third-Party Information Liability Disclaimer

Some of the information on this Web page has been provided by external sources. The Government of Canada is not responsible for the accuracy, reliability or currency of the information supplied by external sources. Users wishing to rely upon this information should consult directly with the source of the information. Content provided by external sources is not subject to official languages, privacy and accessibility requirements.

English only

OCA Funded Research
This research received funding support through the Office of Consumer Affairs' Contributions Program.

Contact information

Public Interest Advocacy Centre (PIAC)
285 McLeod Street, Suite 200
Ottawa, ON   K2P 1A1
(613) 562-4002
(613) 562-0007

Source: Consumer Policy Research Database

Date Modified: