Photo: Pheelings media – shutterstock.com
The pandemic has changed consumer behavior forever: convenient online shopping has become an integral part of everyday life for many, and at the same time the number of frauds has increased at an alarming rate. According to estimates, the e-commerce market in Europe will reach 465 billion dollars this year – 30 percent. more than before the outbreak of the pandemic. At the same time, cybercrime losses increased by more than 87%.
Therefore, many financial service providers have already introduced additional authentication methods such as push notifications and OTP SMS (One Time Passwords) to improve security. But it also leads to side effects that worsen the user experience: it increases the number of abandoned purchases. After all, 13 percent of all payments that have to be verified with EMVCo 3D Secure – the security specification used by most major banks and payment systems – fail. 57 percent of consumers admit that they have already given up shopping because the process was too complicated for them.
This is directly visible in sales: according to a Forrester study, companies lose more than $ 18 billion a year due to abandoned purchases. In addition, complicated billing and registration processes mean that more and more consumers are shopping as guests – even more likely when they use a smartphone. This means that less valuable customer data is collected, customer retention is not possible, and average shopping carts are smaller because registered customers spend more.
The new solution provides a direct answer to these problems: Delegated Authentication. This gives sellers control over the authentication process and can also improve user security and convenience.
Delegated authentication is new to the payment and authentication industry. The solution is based on open standards and offers qualified resellers or wallet vendors the option of using their own authentication methods or logging in to authorize purchases. For the first time, they can now link customer accounts to the 3D Secure payment verification process. In turn, users can safely log into their merchant account and use the same payment approval method. Eliminates the need for step-up authentication while providing secure, one-step client authentication.
The most common method is still based on passwords. However, their sole use is declining as the disadvantages for customers, sellers and banks are becoming more and more obvious: not only the ease of use but also the security are bad as passwords are very vulnerable to attacks such as phishing. This is compounded by the lack of password hygiene as many people use the same login details for different accounts.
Reading tip: Poor password support
The most popular additional authentication methods are the aforementioned push notifications and SMS OTP. However, they often result in shopping abandonment and are prone to social engineering where fraudsters trick consumers into revealing their one-time passwords themselves. The so-called “SIM change” is even more sophisticated. By using publicly found information and / or information obtained through social engineering, the fraudsters pretend to be a victim of mobile network operators and claim, inter alia, B. the phone got lost to ask for a new SIM card for their own purposes.
Sending push notifications to banking applications is problematic for the user experience. As customers have to change the application or device to do so, this interrupts the payment flow and makes the process unpredictable. In addition, the reach is small as it is estimated that only half of the users use such an application.
Compliance with PSD2 SCA guidelines: The EU Payment Services Directive PSD2 requires Strong Authentication (SCA) from European financial service providers, i.e. it mandates two-factor authentication (2FA) for banking or payment services. Two of the following safety factors must be met: something you have, something you are, or something you know.
-
Possession: The consumer is in possession of the authentication element that is located in a general (e.g. smartphone) or in a specific device (e.g. smart card, security key). Authentication proves ownership with a private key stored securely on the device.
-
Biometrics or Knowledge: The second element consists of either an inherent factor such as biometrics or knowledge, eg B. PIN or a geometric pattern checked locally by the authenticator.
By linking an incoming bank request with transaction details, delegated authentication allows customers to verify themselves in one step with 2FA.
Improving usability: 2FA is too often confused with two-step verification (two-step verification), which requires users to perform two separate steps to authenticate themselves. However, this is not necessary: users can prove two factors of authentication with one method.
Since delegated authentication is based on the latest standards, consumers can choose between different methods:
-
authentication integrated with their smartphone
-
hardware token (also known as security key or security key).
-
a process already in use by the user, eg B. fingerprint, facial recognition or PIN
It also means that the problem of inconsistent user experiences on different websites is a thing of the past. This becomes predictable as you do not need to use a different authentication method depending on the transaction value and other exception criteria.
Building relationships with customers: With delegated authentication, merchants can offer authentication through their own sign-in platform. Not only does this provide customers with better, passwordless checkout, it also encourages them to make more purchases if they sign up for an account with a seller. This can encourage customer loyalty and increase the average cart as logged in customers spend more. By building their own customer base, retailers also gain greater insight into customer behavior and thus can adapt their business models.
Increasing security: Using open standards also means that delegated authentication uses a “privacy by design” approach. This makes the method very resistant to man-in-the-middle attacks, in which attackers sneak into existing communication. Depending on the implementation, delegated authentication can also use hardware security built into the device. In the case of a smartphone it will be the Trusted Execution Environment (TEE), in the case of PCs it will usually be Trusted Platform Module (TPM) and in the case of smart cards it will be Secure Element (SE). The use of hardware security is another key element of the approach – this means that no sensitive data is shared with third parties.
Easily Scalable Authentication: Common standards are supported by all major platforms, which makes them easy to implement and scale. In addition, an authentication token registered with one merchant can also be used by another merchant. Finally, only the public key is sent to the vendor or wallet server while the private key remains in the authenticator. Therefore, users do not need their own authenticator for each vendor, and vendors do not need to operate a separate server for security. This reduces both cost and complexity for sellers while reducing risk.
Common solutions such as OTP passwords and SMS are now compliant. However, delegated authentication offers resellers and customers a future-proof solution. Because there may be times when less secure authentication methods are removed from the guidelines in the long term. (mth)