MasterCard forecasts death of static passwords with 3DS 2.0

MasterCard forecasts death of static passwords with 3DS 2.0

MasterCard says a forthcoming wholesale upgrade of the 3DSecure protocol for authenticating online transactions will pave the way for the introduction of more secure biometric and token-based prompts and the ultimate eradication of static passwords.

MasterCard has been working with Visa on the new authentication standard, '3DS 2.0', which will utilise richer cardholder data and result in far fewer password interruptions at the point of sale. In the event that an authentication challenge is needed, cardholders will be able to identify themselves with the likes of one-time passwords, or fingerprint biometrics, rather than committing static passwords to memory.

Under the plans, Visa will maintain sole ownership of the 3DS 1.0 protocol (including all intellectual property and management of the current 3DS 1.0 specifications), but does not not plan to invest further in the standard. When released, the 3DS 2.0 specification will be owned jointly by Visa and MasterCard and will operate separately and in parallel with 3DS 1.0.

Ajay Bhalla, president of enterprise security solutions, MasterCard says: “We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.”

He says the company is currently evolving its SecureCode programme to support the new standard with a view to a roll out in 2015.

MasterCard has also been piloting a number of commercial biometric tests, including the use of facial and voice recognition apps to authenticate cardholders, chip cards which utilise fingerprint recognition, and a Canadian trial of Bionym's Nymi wristband which authenticates a cardholder through their unique cardiac rhythm.

Comments: (2)

Bill Trueman
Bill Trueman - - London 13 November, 2014, 11:01Be the first to give this comment the thumbs up 0 likes

Smoke and mirrors? May be, maybe not.........

The vision is there, but it seems that there is a big leap in the delivery and in the realisation of the strategy to deliver this vision.

a) BIOMETRICS - not everyone will have an electronic biometric reader, now or in the future, whether it is a Nymi wristband of an iphone with its iTouch fingerpring reader (increasingly more common now). In these instances 'someone, somewhere' needs to link the biometric reader with the card number (or the token for the cardholder) at the merchant. This will be the area of challenge. And then when that is done, the challenge is also how to manage/update the registration and links associated with these devices in a way that is controlled and away from fraudsters. Remember also, that this would need EVERYONE who wants to buy something on-line, to be 'set-up' this way.

b) DYNAMIC PASSWORDS - nothing here in the article on where these would come from or how they would be transmitted. So very much a vision without any details and far, far away from a technical specification! Again, everyone paying on-line needs a facility to access / create such passwords - and this leads us (in the first instance) to the mobile device that everyone has and to SMA messaging as the conduit. This would require the mobile number to be then associated with the card number (or token) and a registration somewhere too.

Seems a little way off yet, but whenever we estimate timing of these things they arrive sooner.

Or is this just MasterCard laying down some vision to help evolve the thinking and/or to 'advertise' their work in biometrics' trials?

Time will tell.



A Finextra member
A Finextra member 14 November, 2014, 08:18Be the first to give this comment the thumbs up 0 likes

customers of several uk banks can already generate a valid one-time passcode using their current plastics and an industry-standard emv personal card reader, so this part is already here.  but even with help from the iphone, i agree that biometrics is still some way off, though