The definition of authentication can be explained as a process of identifying a user requesting access to a particular service. Until recently, simple credentials in the form of a username and password would suffice, but with today's security standards, we need something much stronger.
Different business requirements demand different security levels, achieved by carefully choosing or combining various authentication methods available. When it comes to user experience, it plays a significant role in user satisfaction during online payment processing. Therefore, the authentication method applied must provide convenience and security at the same time. If the authentication process does not offer convenience and runs smoothly, it causes high cart abandonment rates. On the other hand, if the authentication does not provide appropriate security measures, the threat of fraudulent activities involving payment cards rises and results in chargeback costs.
Balancing between security and user experience is a challenge, but we at ASEE know how to approach this issue. The answer lies in Strong Customer Authentication (SCA) that enables various authentication methods tailored to the user's needs.
As a part of the PSD2 regulation from September 2019, Strong Customer Authentication (SCA) requirement is in force. SCA presents an additional layer of security in online payments and is based on at least two authentication factors from the following categories:
This means that stakeholders needed to get creative and adopt a variety of authentication methods available for the end-user in order to be able to process a seamless and secure online payment.
We prepared a comprehensive list of authentication methods that provide both security and convenience during the processing of an online payment. Let's dig in!
Biometric authentication relies on the unique biological traits of a user in order to verify their identity. This makes biometrics one of the most secure authentication methods as of today. Additionally, it causes less friction during the authentication process in comparison to previously mentioned methods, making for a great user experience. Most common identifiers include fingerprint scans, facial recognition, and voice-based identification.
Hard to spoof – biometric identifiers such as fingerprint and retina are unique by definition for each individual. Also, when combined with Dynamic linking (i.e., adding additional transaction data in authentication data), spoofing is almost not feasible.
Simple to use – does not require memorizing various PINs and passwords, a straightforward authentication process.
Fast and reliable – biometric authentication provides more security and is less time-consuming.
Privacy concerns – one of the major issues users have with this method is privacy concerns. Even though this feeling is very subjective, it prevents a significant number of cardholders from using it. Biometric data are stored in a trusted environment, encrypted and inaccessible to regular operating systems.
Possible errors – errors including false acceptance and false rejection of an authentication attempt.
QR code authentication is typically used for user authentication and transaction validation. A typical flow for transaction verification starts with the user logging into their internet banking web application and opening a payment order. The internet banking application offers the user to process this payment using a QR code presented on the screen. To process the payment, the user needs to scan the QR code with their smartphone using authenticator software (can be apart of their mobile banking application). To finalize the payment, the user is presented with transaction details and, upon inspecting the validity of the showcased data, the user additionally confirms the online payment.
Simple to use – authentication process is straightforward.
2FA proof – easily combines with other authentication factors for increased security.
No additional hardware – independent from third-party hardware.
Lack of familiarity – the general public is not widely familiar with this particular authentication method, resulting in a possible poor customer experience.
Device dependence – requires the use of smartphones alongside correct reader software capable of scanning the QR code.
This simple yet effective authentication method involves sending an SMS message to the user's mobile phone, containing a one-time-password used for finalizing the authentication of online payments.
Simple to use – the authentication process is straightforward.
Access – in case of suspicious activity, only the user who has the device in their possession can verify the transaction's validity by entering the received OTP.
Familiarity – SMS OTP is one of the oldest forms of two-factor authentication, making it widely accepted by both users and security protocols.
Data network requirement – if a user is unable to use their phone network (e.g., the connection is down), they won't be able to receive the OTP. Also, SMS OTP delivery might not happen in real-time, causing a delay, and the authentication time could run out.
Compliance – SMS OTP authentication is not entirely PSD2 compliant, e.g. if a mobile phone is not in possession of its rightful owner, the fraudster can easily receive SMS OTP on the stolen device and process a transaction.
A push-based authentication system sends a notification to an app on a user's device, informing them about an authentication attempt. The user is able to inspect the details of the authentication attempt, and based on their knowledge about an, e.g., the transaction taking place, either confirm or deny request verification.
Simple to use – if the authentication details do not raise any suspicion, the user simply confirms the authentication request.
Efficient fraud protection – push-based authentication enables simple implementation of Dynamic linking, which proves to be efficient in preventing phishing and MITM (man-in-the-middle) attacks.
Low cost – this method leverages user's existing mobile phones, eliminating additional hardware costs and maintenance costs.
Data access – notifications are sent through data networks, so in order for this method to be applied, the user must have data access.
Security issues – the user might accidentally approve a fraudulent transaction because of our habit of automatically approving incoming notifications.
Dependency – Push notification authentication demands having an appropriate mToken application installed on a user's device, as well as mToken activation, i.e., it requires certain actions to be undertaken in order for the authentication method to be available to the cardholder.
Behavioral authentication verifies a user's identity based on unique patterns recorded during interaction with devices (e.g., smartphone, tablet, computer). Identification factors include everything from the angle at which the user is holding their phone to pressure applied while typing. This type of authentication method allows for a genuinely frictionless experience without having to worry about the level of security it is providing the user with.
Simple to use – straightforward authentication process.
Hard to spoof – just like the fingerprint and retina are unique by definition for each individual, the same applies to the way a user interacts with their device.
Great user experience – the authentication process is passive, and friction is out of the equation.
Case sensitive – can be affected by the user's physical state and emotional behavior.
Invasion of privacy - major issue users have with this method is privacy concerns. What disturbs users the most is not knowing what data is actually collected, who has access to it, and how it is going to be used in the future. How far is too far?