The definition of authentication can be explained as a process of identifying a user requesting access to a particular service. Until recently, simple credentials in the form of a username and password would suffice, but with today's security standards, we need something much stronger.
Different business requirements demand different security levels, achieved by carefully choosing or combining various authentication methods available. When it comes to user experience, it plays a significant role in user satisfaction during online payment processing. Therefore, the authentication method applied must provide convenience and security at the same time. If the authentication process does not offer convenience and runs smoothly, it causes high cart abandonment rates. On the other hand, if the authentication does not provide appropriate security measures, the threat of fraudulent activities involving payment cards rises and results in chargeback costs.
Balancing between security and user experience is a challenge, but we at ASEE know how to approach this issue. The answer lies in Strong Customer Authentication (SCA) that enables various authentication methods tailored to the user's needs.
As a part of the PSD2 regulation from September 2019, Strong Customer Authentication (SCA) requirement was launched. SCA presents an additional layer of security in online payments and is based on at least two authentication factors from the following categories:
This means that stakeholders needed to get creative and adopt a variety of authentication methods available for the end-user in order to be able to process a seamless and secure online payment.
We prepared a comprehensive list of authentication methods that provide both security and convenience during the processing of an online payment. Let's dig in!
Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today. Additionally, it causes less friction during the authentication process in comparison to previously mentioned methods, making for a great user experience. Most common identifiers include fingerprint scans, facial recognition, and voice-based identification.
Hard to spoof – biometric identifiers such as fingerprint and retina are unique by definition for each individual. Also, when combined with Dynamic linking (i.e., adding additional transaction data in authentication data), spoofing is almost not feasible.
Simple to use – does not require memorizing various PINs and passwords, a straightforward authentication process.
Fast and reliable – biometric authentication provides more security and is less time-consuming.
Privacy concerns – one of the major issues users have with this method is privacy concerns. Even though this feeling is very subjective, it prevents a significant number of cardholders from using it. Biometric data are stored in a trusted environment, encrypted and inaccessible to regular operating systems.
Possible errors – errors including false acceptance and false rejection of an authentication attempt.
QR code authentication is typically used for user authentication and transaction validation. A typical flow for transaction verification starts with the user logging into their internet banking web application and opening a payment order. The internet banking application offers the user to process this payment using a QR code presented on the screen. To process the payment, the user needs to scan the QR code with their smartphone using authenticator software (can be apart of their mobile banking application). To finalize the payment, the user is presented with transaction details and, upon inspecting the validity of the showcased data, the user additionally confirms the online payment.
Simple to use – authentication process is straightforward.
2FA proof – easily combines with other authentication factors for increased security.
No additional hardware – independent from third-party hardware.
Lack of familiarity – the general public is not widely familiar with this particular authentication method, resulting in a possible poor customer experience.
Device dependence – requires the use of smartphones alongside correct reader software capable of scanning the QR code.
This simple yet effective authentication method involves sending an SMS message to the user's mobile phone, containing a one-time-password used for finalizing the authentication of online payments.
Simple to use – the authentication process is straightforward.
Access – in case of suspicious activity, only the user who has the device in their possession can verify the transaction's validity by entering the received OTP.
Familiarity – SMS OTP is one of the oldest forms of two-factor authentication, making it widely accepted by both users and security protocols.
Data network requirement – if a user is unable to use their phone network (e.g., the connection is down), they won't be able to receive the OTP. Also, SMS OTP delivery might not happen in real-time, causing a delay, and the authentication time could run out.
Compliance – SMS OTP authentication is not PSD2 compliant, e.g., if a mobile phone is not in possession of its rightful owner, the fraudster can easily receive SMS OTP on the stolen device and process a transaction.
A push-based authentication system sends a notification to an app on a user's device, informing them about an authentication attempt. The user is able to inspect the details of the authentication attempt, and based on their knowledge about an, e.g., the transaction taking place, either confirm or deny request verification.
Simple to use – if the authentication details do not raise any suspicion, the user simply confirms the authentication request.
Efficient fraud protection – push-based authentication enables simple implementation of Dynamic linking, which proves to be efficient in preventing phishing and MITM (man-in-the-middle) attacks.
Low cost – this method leverages user's existing mobile phones, eliminating additional hardware costs and maintenance costs.
Data access – notifications are sent through data networks, so in order for this method to be applied, the user must have data access.
Security issues – the user might accidentally approve a fraudulent transaction because of our habit of automatically approving incoming notifications.
Dependency – Push notification authentication demands having an appropriate mToken application installed on a user's device, as well as mToken activation, i.e., it requires certain actions to be undertaken in order for the authentication method to be available to the cardholder.
Behavioral authentication verifies a user's identity based on unique patterns recorded during interaction with devices (e.g., smartphone, tablet, computer). Identification factors include everything from the angle at which the user is holding their phone to pressure applied while typing. This type of authentication method allows for a genuinely frictionless experience without having to worry about the level of security it is providing the user with.
Simple to use – straightforward authentication process.
Hard to spoof – just like the fingerprint and retina are unique by definition for each individual, the same applies to the way a user interacts with their device.
Great user experience – the authentication process is passive, and friction is out of the equation.
Case sensitive – can be affected by the user's physical state and emotional behavior.
Invasion of privacy - major issue users have with this method is privacy concerns. What disturbs users the most is not knowing what data is actually collected, who has access to it, and how it is going to be used in the future. How far is too far?
Biometrics are physical or behavioral traits that, by default, uniquely identify a user. That makes biometrics one of the most secure means of authentication in online payments.
Physical biometrics commonly include factors such as fingerprint, iris scan, or face and voice recognition. Behavioral biometrics took it up a notch and observed the way users interact with the device being used to authenticate themselves. These factors range from the angle at which a user typically holds their smartphone to the speed of typing on the keyboard.
Both physical and behavioral traits are extremely hard to spoof, making biometric authentication the most secure and reliable way of validating someone's identity.
As the Second Payment Services Directive (PSD2) required Strong Customer Authentication (SCA) to become a standard, biometrics were of major importance. SCA is making sure that online payments are processed using multi-factor authentication, meaning that the user must verify their identity using two out of three factors from the following categories: knowledge, possession, and inherence. The inherence part represents ''something that the user is'', and therefore, relies on biometrics.
3D Secure 2, enhanced with SCA requirement, adopted biometric authentication as one of the standard methods for authenticating cardholders. This update brought improved customer experience and satisfaction because of less friction during online payment processing. Merchants and issuers thrive on biometric authentication because of reduced chargeback costs and cart abandonment rates. All thanks to heightened security measures and a straightforward authentication process enabled by biometrics.
There are many benefits biometric authentication provides to its stakeholders.
Biometrics provide unmatched protection against fraudulent activities taking place in the online payments environment. Even if a fraudster gets a hold of the cardholder's pin or password, multi-factor authentication involving biometrics makes it hard, if not impossible, for the perpetrator to fake a fingerprint scan in order to process a fraudulent payment.
Although the technical backend responsible for successful biometric authentication is complex, the user's point of view is simple and convenient. Biometrics are quicker than standard authentication methods involving PINs and passwords containing special characters and uppercase letters. Also, oftentimes, the users can't keep track of their credentials due to the extensive amount of accounts an average person owns. Passwords can be forgotten. Fingerprints, on the other hand, not very likely.
PINs and passwords are often shared. Sometimes to a trusted party, other times to a fraudster with bad intentions. Biometrics are non-transferable, meaning that the rightful cardholder has to be present upon authentication in order for it to be successful.
Biometric authentication relies on physical traits that are unique by default, meaning that there is no other person who shares that same feature. Additionally, physical factors such as face patterns and iris scans are extremely hard to replicate with today's technology.
Alongside existing biometric factors, others are waiting to be researched and implemented, becoming the standard trait used for biometric authentication.
One of those fresh features is vein-patterning. A blood vessel pattern on a person's hand is also a unique trait and can be used for authentication. Veins on a person's hand are mapped using infrared light. It is considered one of today's most advanced identification methods, even more precise than iris scans.
Gait recognition is based on a person's locomotive system. Supposedly, we all walk a bit differently and use different hand movements while doing it. Based on that fact, the idea of gait recognition came to life and might become a standard authentication method in the biometrics category.
We are excited to be apart of future development by implementing biometrics in our solutions!