Long reads

New ways of customer authentication in payments

Sehrish Alikhan

Sehrish Alikhan

Reporter, Finextra

Customer authentication has a become a staple in security processes for payments as a way for the platform to verify a consumer's identity and ensure the transaction is approved and secure. While there are a range of digital authentication processes, a common use case among banks is two-factor
authentication which verifies the user’s identity at two points, for example using a passcode and a fingerprint scan, or using a passcode and sending a unique code to your mobile number.

This is an excerpt from Future of Payments 2023.

There are many different factors of strong customer authentication that are employed by banks and payments services providers. In multi-factor authentication processes, providers aim to combine two factors of authentication, for example a combination of one ‘possession’ factor and one ‘inherence’ factor can authorise the payment.

As crooks and fraudsters have become more persistent and sly in their schemes and scams, financial institutions are looking to new measures to authenticate customers and creating air-tight security systems to prevent false transactions.

Emerging innovations in authentication methods

EMV 3-D Secure (EMV 3DS) authentication uses data to verify card-not-present payments. To verify the consumer’s identity, the merchant sends transaction information to the issuer to review and process and authenticate the payment.

The Fast Identity Online Alliance (FIDO) has developed standards to promote authentication based on public-key cryptography, which means that all sensitive information remains on the customer’s device so that if there is a breach in the network of the issuer, it will not reveal customer’s authentication data. Using FIDO methods, consumers can build-in authentication to browsers and platforms using USBs, mobile devices, or Bluetooth connections.

Matt Cox, director of digital payments and cards at Nationwide Building Society, comments: “Use of the mobile device and biometric authentication as part of this provides a very good and secure experience for our members. When shopping online, 80% of our members now choose this option. Of course, it’s also important that we provide alternatives to meet all member needs, not just for those that use smart phones and this is something Nationwide has taken very seriously in its design. Our aim is to provide a great, secure digital experience, but not at the expense of our non-digital members. It’s also not about having no friction in the journey. It’s about having the right amount of friction at the right times; when there is more risk.”

Other modes of authentication such as on web application, mobile phones, desktop applications, and automated devices are provided through authentication protocols such as OAuth 2.0, OpenID Connect, and Mobile Connect.

Biometric authentication as a popular trend

An increasing number of PSPs are beginning to implement biometric authentication, in which fingerprints, iris scans, and the user’s voice can be factors of authentication. Google Pay and Apple Pay are examples of day-to-day use of biometric authentication, requiring customers to scan their face or fingerprint before making contactless payments.

The benefits of biometric authentication include efficiency, easy user interface, reduced administrative costs, and frictionless and seamless payments transactions. Machine learning and AI will enhance the biometric authentication methods currently in place, with research currently being conducted into gait analysis, palm vein scanning, wearable biometric devices, payment cards that include biometric sensors, and blockchain-based biometric payments.

A spokesperson from Cecabank states: “Fraud prevention should rely on detection systems that do not penalise the user experience, leveraging elements such as user behaviour rules and biometrics. Cooperative detection and artificial intelligence applied to transaction analysis can significantly enhance the prevention against fraud.”

Additionally, biometric authentication in payments could lead to progress on the financial inclusion front. As posited by Catharina Eklof of IDEX Biometrics in Fintech Magazine, the seamless nature of facial recognition or fingerprint scanning authentication makes it easier for a range of people, from those struggling with Alzheimer’s and dementia to financially illiterate individuals who have trouble using financial products. Moreover, biometric payments creates an official identifying link to an individual, which is significant to a large amount of people worldwide who are without government identification.

While convenient and easily accessible, biometrics can be an invasion of privacy, as it requires collecting personal and unique physical traits to gain access to personal information. Therefore, research need to be conducted in a manner that regulators can keep an eye on innovations and set guidelines for PSPs if necessary.

National authentication requirements

Europe has Strong Customer Authentication (SCA) requirements that apply to customer-initiated payments conducted online or through contactless offline transactions. 3D Secure, which requires authentication of the online buyer as a legitimate owner of their payment card by sending a code to their phone is one of the main requirements laid down by the EU’s PSD2 regulation. However, some payment providers have exemptions to SCA processes for transactions defined as low-risk, for example, payments under €30.

Other countries such as Hong Kong, China, India, and Mexico have issued regulation that require banks to provide two-factor authentication to users making online and digital payment transactions. In the US, PSPs are obligated to carry out risk assessments and mandate multi-factor authentication.

New methods of customer authentication are on the rise to make digital payments smoother and faster, however there needs to be guidelines in place to ensure that innovations in biometric authentication do not violate the privacy and security of users. Banks and payments providers must focus on maintaining stringent governance regulations to ensure that multi-factor authentication is in place for users making digital transactions.

Comments: (0)