The majority of SCA solutions currently require the use of a mobile phone to authenticate and approve the transaction. A mobile-first approach seems very convenient these days, but what are some of the downsides?
PSD2 has finally entered into force since 14 March for all 3-DSecure transactions, and progressively according to the amount of the transaction. There are several strategies banks use to suggest these SCA solutions:
Short-term tactical approach with the reinforcement of the OTP SMS with a password that could be a dedicated password or the password from online banking. The issue is that it may impact the conversion rate, since there is one additional step and that the user can be reluctant to, which is typing his banking password during a purchase.
Mobile-first approach: the authentication is managed with the smartphone, either with a dedicated mobile application (we see this initiate mainly in the DACH region) or integrated into the banking mobile application of the bank.
mobile phone is not accessible (not present, switched off, out of battery, lost/stolen/broken);
there is no network connection (mainly problematic for the SMS OTP approach);
notifications are not activated;
the user has a very old mobile phone that doesn’t allow installing an app or the newest versions;
the user doesn’t want to install the application of the bank;
sometimes, the switch from the merchant app to the mobile bankingapp is not easy for consumers who do not have the reflex to reopen the merchant app after authentication.
For all these cases, we developed a new solution, based on the enrolment of the user’s browser.
Can you quantify the percentage of European consumers who don’t use a banking app, due to reluctance or because they don’t own a smart device? How do the statistics look in this matter?
Based on ‘Future of authentication’ by raconteur.net, 67% of users in the world are equipped with smartphones (77% in Europe). Progress is being made every day, but there are still a lot of people for whom finding a solution is crucial.
Given the challenges of SCA in mobile-only scenarios, what solution do you offer and how does it work?
We propose to issuers a universal solution, called WL Trusted Authentication (WL TA), that can equip both consumers using a smartphone, and those who do not. For that, we offer to issuers a complementary solution – WL TA on mobile and WL TA on browsers – that brings MFA with a high level of security, innovation, and a good user experience. WL TA on mobile replaces the SMS OTP by combining the user experience and the security, and it fits with a ‘mobile first’ strategy of the bank. This is the solution most deployed by banks in France. An SDK allows them to integrate it very easily within their mobile application. For each sensitive operation to be done within the app, everything is integrated. For each sensitive operation done outside the app (3DS transaction, for example), it’s called the ‘out of band’ principle: a notification is sent to the application, and the consumer has to authenticate with the application. It’s very convenient, because we can also use the biometrics capabilities of the smartphone to improve the user experience.
WL TA on browser is a good complement and a perfect replacement of the OTP SMS for consumers that don’t use smartphones. The principle is very simple: we register the browser as a trusted device, and each time the consumer performs a sensitive operation that requires SCA, we check the trusted device (possession), and we ask for a second authentication factor (mainly a PIN code). For the consumer, the experience is simple, as the journey will remain on the same device.
WL TA on browser
We would like to clarify, however, that for the trusted device, it’s not a simple cookie that we are using. To be compliant with PSD2, we need much more security than a simple cookie or a simple browser fingerprinting. We combined different mechanisms, including ‘among others’ cryptographic keys, and an innovative mechanism with OTJS (one-time javascript). This innovative solution fits all PSD2 RTS requirements, and this compliance has been assessed by an external auditor.
How can issuers implement this solution?
The integration is very smooth, as all pages are managed by the solution. With a simple redirection or iframe, any website can propose the SCA with WL TA on the browser. The goal is to combine a solution that doesn’t need any effort for integration, but that can be customisable (branding, workflow), so the user journey will be as little disrupted as possible. TA Browser is chosen by 50% of our customer’s end users. One of our customers, a French bank, has deployed the solution for legal entities, and let the user choose between TA on mobile and TA on browser solution. It’s now 50% of the new activations that are done with the browser solution.
What are some future developments, partnerships, or ideas you can share with us?
The solution is constantly evolving and we are focusing on different aspects to improve security and user experience. For instance, with the browser solution, it’s now possible, via webauthn (FIDO2), to use the biometrics capabilities of the device (computer, smartphone), to remove completely password and PIN codes. With data, we can also add behavioural factors as a third factor, and bring additional security, but also to detect fraudsters patterns based on the device fingerprint and the behaviour of the attacker. The goal is to block the fraud before it occurs.
This editorial is part of The Fraud Prevention in Ecommerce Report 2021/2022, the ultimate source of knowledge that delves into the evolutionary trail of the payments fraud ecosystem, revealing the most effective security methods for businesses to win the battle against bad actors.
About Claire Deprez-Pipon
Claire is responsible for the product management of Strong Customer Authentication & Security solutions such as WL Trusted Authentication and WL Digital Intrusion Protection. With 10 years of experience in international business developments and bids, she has developed strong skills to understand customers and market requirements, with special focus on security, payments, and identity.
About Worldline
Worldline is the European leader in the payment and transactional services industry. With innovation at the core of its DNA and thanks to a presence in 30+ countries, Worldline is the payment partner of choice for merchants, banks, public transport operators, government agencies, and industrial companies, delivering cutting-edge digital services.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now