As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Károly Petőcz, the Director of Sales for HID Global’s IAM Consumer Authentication solution, explains how moving from 3DS to 3DS2 can help companies improve the customer authentication experience.
Not all multi-factor authentication (MFA) or Strong Customer Authentication (SCA) solutions are alike, especially regarding mobile security. Compromised user credentials are still the primary means used against mobile banking apps by attackers, who, in one widely publicized example, intercepted SMS one-time-passwords (OTPs) to drain millions of dollars in a few days. One way to defend against these threats is to move from the 3D Secure (3DS) to the 3DS2 authentication protocol, which incorporates more powerful and flexible risk profiles while streamlining the consumer experience on mobile devices.
What’s the Difference Between 3DS2 and 3DS?
The new 3DS protocol, called 3DS2, is designed to improve the old 3DS, which calls on three separate domains to authenticate consumers and sign digital transactions during card-not-present (CNP) payments. 3DS2 offers a powerful combination of security and usability and was even cited in the EU’s official guidance on compliance with the Strong Customer Authentication (SCA) section of the Revised Payments Services Directive (PSD2).
The original 3DS protocol was the same for all transactions. It did not support biometric authentication and was incompatible with some devices and mobile browsers. Authorization page loading speeds caused frustration, while questions about the authenticity of the 3DS in-session verification window led some consumers to abandon their transactions. By contrast, 3DS2 is expected to leave fewer shopping carts abandoned both because of its enhanced capability to maintain a consistent look and feel and because of its seamless fraud-prevention enablement aspect using risk-based authentication.
With this next generation, 3DS2 allows organizations to adapt payment authorization methods and requirements for high-risk transactions rather than having a one-size fits all approach. The authentication risk level is based on a rich set of data collected about the cardholder and the transaction and then sent to the issuer.
The card issuer is now empowered and more flexible to make better decisions thanks to data-sharing Application Programming Interfaces (API) connecting businesses and banks. These APIs can incorporate more than 150 potential data points representing the information they and card issuers know about their mutual customers. The data comprises the specific cardholder and device information that varies based on the regional or market law restrictions but commonly includes device ID, MAC address, geo-location, and previous transactions.
These data points make it possible to assess the transaction risk level, and if a transaction is categorized as high risk, it can be challenged with a step-up authentication method. The next step can require additional authentication through verifying identity using biometrics, OTP, and MFA, to name a few. If the transaction is deemed low risk, the cardholder is not required to authenticate themselves further. Both high-risk and low-risk use cases can be seamless with the correct authentication journey.
How Else Does 3DS2 Help Prevent Fraud?
Most 3DS authentication flows happen in the background—the Software Development Kit (SDK) and servers exchange all necessary data, and the customer sees nothing. However, an OTP—generated by the customer’s card—is an integral part of the process because it enables customers to confirm their identities on a separate channel from the one they’re using to execute the transaction. This transaction verification step introduces significant risks in solutions that rely on SMS to transmit the OTP. SMS authentication is cheap, convenient, ubiquitous, and more accessible than ever for hackers to exploit. Unfortunately, our research shows that it’s still the financial services industry’s leading authentication method.
3DS2, with its support for biometric authentication, definitively closes this security loophole by enabling customers to authenticate via their fingerprint or face—functionalities built into almost all modern smartphones. What’s more, the simplicity of this authentication flow increases security without compromising usability, reducing drop-off rates and streamlining the customer journey. In fact, according to Visa, 3DS2 implementation led to an 85 percent reduction in transaction time, resulting in a 70 percent decrease in cart abandonment.
As 3DS2 moves into the mainstream—and Open Banking regulations mandate the use of SCA in many regions around the world—the search is on for solutions that keep customers safe while maximizing the number of lawful transactions that go through.
One key feature that offers one of the best user experiences for consumers is push notifications or push authentication as part of a risk-based authentication strategy. It enables the validation of transactions in seconds through a highly secure channel and all from the device that the customer is most accustomed to, the smartphone. Push notifications can take full advantage of native smartphone security and biometric capabilities, which are intuitive to the user. This approach allows banks to customize transaction signing flows while complying with 3DS2 protocols. It uses a channel, so service providers do not need to send sensitive information over an insecure network like SMS.
With this push-based authentication solution, customers can securely and conveniently authenticate their access requests and sign transactions with their mobile device using an intuitive swipe motion. This is a much simpler user experience than SMS systems. When push notifications appear on users’ smartphones, they must validate the request by making a binary choice to “Approve” or “Decline” rather than referencing and retyping an OTP received via SMS.
These end-to-end, push-based authentication applications can be fully integrated into the bank’s existing app with an SDK or deployed as a customizable off-the-shelf mobile application. Organizations can meet the most stringent security regulations while providing a seamless consumer experience that they can adapt as required. These applications are often fully customizable from a branding and security policies perspective to secure modern communications channels and prevent fraud.
Moving from 3DS to 3DS2 authentication offers many benefits for banks focused on improving security, fraud prevention, and customer experience. This is especially true when 3DS2 is coupled with push-notification-based authentication using a secure channel. The result is an even more seamless and convenient mobile consumer authentication journey.