Delegated authentication for PSD2-SCA... and beyond

Walter Beisheim, Chief Business Development Officer at Nok Nok Labs dives into further details about how to improve usability and security via PSD 2’s SCA, and the tools that are currently available

Previously we discussed the development of PSD2’s Strong Customer Authentication (SCA) and how it is helping to improve usability and security. In this post, we dive into further details about how this will happen, and the tools that are currently available.

Over the past 4 years, we have seen the rollout and acceptance of the 3D Secure v2 (3DS2) protocols. This is the mechanism that will help stakeholders satisfy the SCA requirements with the aim to reduce fraudulent online transactions. These protocols have already been implemented by the major card networks that go by their brands such as Mastercard Identity Check, American Express SafeKey, and Visa Secure. Why version 2? Well, 3DS v1 has been around since the beginning of this century and was showing its age. Back then, it was still pretty new to buy things online: we had to enter our credit card details, then our bank would ask for additional information (or even a separate password) to approve the purchase. This extra step was the issue: many customers couldn’t recall their passwords or would abandon their purchases. Recall that back then smartphones weren’t popular, let alone smartphone apps. The main authentication mechanisms were the SecurID hardware tokens from RSA and other equivalents. It was clear that online payments needed an update, and to embed the authentication dialogs directly into the checkout workflows so that the user would have a more frictionless experience.

Just embedding the authentication isn’t the only benefit provided by 3DS2, additionally, businesses and payment providers send along a lot more information as part of the transaction to the issuing bank of the credit cardholder. This extra data provides more context that can be used to assess the relative risk of the transaction. With 3DS2, these protocols structure this information to make it easier to assess risk.

There are now hundreds of 3DS2 financial products that run the gamut of portable credit card terminals, mobile applications, and even 3DS2 support built into Microsoft Xbox and Sony PlayStation gaming consoles. There are also new payment channels, such as digital wallets including Apple Pay and Google Pay.

The 3DS2 protocols are managed by a consortium of financial services companies called EMVCo. This company works to develop the specifics that define the standards, run educational workshops to explain these efforts, and test various 3DS2 implementations to ensure interoperability across the payments industry. That was great, but what was also needed was additional standards and structure.

Earlier in November 2020, EMVCo. announced agreements with the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C) to ensure that the various protocols and technology specifications would all work together to ensure secure payments with the highest end user experience.  The three groups have a common interest in preventing phishing and other data compromises and to reduce overall payment processing systems integration. The groups want to see benefits for both the online merchants, so that a single approach can work across a variety of digital channels and user devices, and their customers, with the best possible convenience, security, and usability.

Another common goal among the three organisations is to meet the regulatory requirements of PSD2 and California’s Consumer Privacy Act, among others. Using FIDO-compliant authentication solutions helps to improve user data privacy, since the biometric data (fingerprint or face ID) never leaves the user’s smartphone. And, unlike browser canvas fingerprinting, there is no data that is shared among third-party online services that can be used to track an individual under 3DS2. 

Let’s address these biometric methods for a moment. The authentication industry likes to mention these and call them ‘passwordless’ approaches. In reality, you are substituting a ‘gesture’ such as a fingerprint, a faceID, or a user-controlled PIN code, instead of a one-time passcode, such as what you would type from using the RSA SecurID token. Users prefer this approach because they don’t get distracted by having to bring up another application, including a smartphone-based authenticator app, to complete their online purchase. Users also have complete control of their ‘templates’ (e.g. their fingerprint template) and have the ability to determine which organisation(s) can use their strong authentication capabilities.

The 3DS2 standards leverage FIDO authentication to help make these frictionless transactions. One reason is because these authentications may take place at a variety of times during the workflows, and for different reasons in addition to payments authorisation, including:

• By merchants who may wish to authenticate the user that is part of a loyalty program;

• By payment app vendors, such as Stripe;

• By using EMVco’s Secure Remote Commerce Systems such as Click to Pay;

• By issuing banks using the FIDO authentication as an input to 3DS2;

• By digital identity providers who using FIDO as part of their federated digital identity procedures.

As you can see, payment processing is complex. But the new 3DS2 standards will go a long way to making it easier and more secure.

About Walter Beisheim

Mr Beisheim has over 30 years of experience as a senior executive in leading public and private companies in the Information Technology industry that provide products and services in the AI, NLP, online security, mobile technology, and fraud prevention solutions sectors. In his role as Chief Business Development Officer for Nok Nok Labs, he is responsible for business development strategy and identifies, and executes on opportunities to expand our global relationships with customers and partners.

About Nok Nok

Nok Nok provides secure, scalable, and frictionless experiences for passwordless authentication, preventing fraud and security risks. By reducing the reliance on weak, phishable passwords, Nok Nok empowers organisations to improve the authentication experience, while meeting the most advanced security and regulatory requirements. Customers include cloud, mobile, and IoT businesses. For more information, visit www.noknok.com.