Delegated Authentication – Abandon Friction, Not the Cart

By Andrew Shikiar
Share
Discover the importance of fintechs concentrating on robust authentication methods to improve security, prevent fraud, and improve the overall experience

Online sales surged in response to pandemic-related closures of brick-and-mortar shops and global ‘stay home’ restrictions. However, as restrictions have eased, changes to consumer behaviour have endured, with the convenience of shopping online set to stay. 

Fraud has also grown at a frightening pace. The European eCommerce market is expected to hit $465bn this year, 30% more than before the pandemic struck. Losses as a result of fraud however have risen by a staggering 87% in parallel

Robust security is more important than ever. But while several financial services players have implemented additional authentication methods to improve security, there is still much work to be done.

We are also seeing a secondary knock-on effect that damages the user experience. ‘Step-up’ verification processes - such as push notifications and SMS one-time passwords (OTPs) are inadvertently exacerbating an issue that is top of any online merchant’s mind - cart abandonment (which nearly 40% of consumers cite as a likely outcome when they have account login issues). 

What are the common challenges ‘step-up’ authentication creates? And how can new authentication alternatives offer merchants better security and more control of the user experience? 

The authentication problem - fighting fraud with friction 

Legacy ‘step-up’ authentication methods have become widely used in response to strong customer authentication (SCA) mandates but have added more friction to the checkout process. Disruption during the checkout means as many as 22% of all payments verified via EMVCo 3D Secure – the online payments security specifications used by most major banks – are not completed

70% of users prefer an authentication solution based on its convenience - something OTPs and passwords are not known for. In fact, 64% refuse to use SMS OTPs altogether. Similarly, push notifications to the user’s banking app also create drop-offs in the payment chain, as users have to switch to a different app. This method has limited reach too, as it’s estimated only half of the users have the app installed.

Forrester research suggests brands can lose over $18bn a year from cart abandonment. Complex checkout and registration processes also drive more consumers to guest checkout options – something even more likely if using a smartphone. This means less valuable customer data captured, a lost chance for loyalty, and on average, lower spending, as registered customers usually spend more.

Legacy ‘step-up’ doesn’t solve the security problem

The added security benefits of these ‘step-ups’ are limited, too. SMS OTPs are still susceptible to social engineering, meaning fraudsters can trick consumers into divulging their codes directly.

A more advanced technique called ‘SIM swapping’ whereby information found publicly or divulged via social engineering is used to impersonate the victim to mobile network operators and take control of the number. A high profile example of this hit the headlines recently as a Canadian teen used the technique to steal $36m USD of cryptocurrency. 

Moreover, the banking apps we are directed to via push notifications are still often underpinned by legacy ‘secrets’ such as passwords rendering them ultimately less secure.  

A new solution called delegated authentication is emerging as a direct response to these issues, enabling merchants to take control of the authentication process and achieve that rare combination of stronger security with a better user experience (UX). 

What is Delegated Authentication?

Delegated authentication is a new and innovative solution in the payment and authentication industry that leverages open standards from industry bodies such as FIDO Alliance and EMVCo -- standards that reflect broad contributions from industry platform and payment stakeholders such as Apple, American Express, Google, JCB, Microsoft, Mastercard and Visa

Delegated authentication enables qualified merchants or wallet providers to use their own authentication or log-in processes to approve purchases. For the first time ever, it allows merchants to link customer accounts with the 3D Secure payment verification process used by banks. This makes it possible for users to securely log into their merchant account and simultaneously authenticate themselves with their payment provider or bank in advance of making a purchase.

This means that once enrolled; checkouts couldn’t be simpler for end-users. They just need to log in and select the card or payment type they want to use when making a purchase. Because they have already been automatically verified by their payment provider or bank when logging in to the retailer, there is no need for any additional ‘step-up’ verification when checking out.

Why Delegate?

Comply with PSD2 SCA

Europe’s financial services industry is acutely aware of PSD2 (Payment Services Directive 2) and its mandate for SCA, requiring two factors of authentication (2FA) for banking services or payments. 

Delegated authentication can link the incoming bank challenge message with the transaction details to enable customers to verify themselves in line with 2FA in one action:

  • Possession. The consumer possesses an authenticator either in a general-purpose (e.g. smartphone) or a separate device (e.g. smartcard, security key). As such, authentication validates possession, thanks to a private key securely held in the device. 
  • Biometric data or knowledge. The second element consists of either an inherence factor like biometrics or knowledge, such as a PIN or geometric pattern, verified locally by the authenticator. 

Improve user experience 

2FA doesn’t need to mean two steps to verification. With delegated authentication, users can demonstrate two factors of authentication with a single gesture. 

Using new delegated authentication industry standards gives consumers a choice to use different form factors such as an authenticator integrated into their smartphones; and their preferred gesture, such as fingerprint, facial verification, or a PIN. This harmonises the user experience across sites and avoids the need to use a different authentication method when different exemption criteria apply, such as transaction value.

Build customer relationships

Offering authentication from your own platform is invaluable to merchants, as it not only enables a better, passwordless checkout experience for customers but it also encourages customers to make purchases while logged in. This fosters greater customer loyalty, decreases guest checkout usage, and results in higher spending, with logged-in customers estimated to spend around 10% more. 

Strengthen security 

Selecting leading open standards such as FIDO means delegated authentication can benefit from a privacy-by-design approach and have a strong resistance to phishing and man-in-the-middle attacks, whereby attackers interrupt an existing conversation or data transfer by inserting themselves in the middle. 

Depending on the implementation, delegated authentication leverages the robust hardware security inherent on the device – in a smartphone; this is the trusted execution environment (TEE); it typically is a TPM for PCs. This use of hardware security is a critical element of FIDO's approach - no sensitive data is ever shared with third parties, protecting privacy, merchant liability and security. 

Abandon friction, welcome sales

Strong authentication doesn’t have to mean introducing unnecessary friction. Delegated authentication offers merchants and wallet providers the opportunity to take their SCA compliance to the next level with a better user experience that doesn’t cost them sales. While solutions like passwords and SMS OTPs may tick the box of compliance today, delegated authentication will better safeguard merchants and users now and in the future, as less secure authentication methods may come under further scrutiny and be written out of regulation as not safe enough. 

In a thriving market for online retailers, it’s the perfect time to act. Offering a better checkout experience now can ensure merchants build better relationships with customers and do not let sales needlessly slip away. 

***

About the author: Andrew Shikiar, Executive Director at FIDO Alliance.

Share

Featured Articles

LSEG Takes on Digital Identity at Money20/20

At Money20/20 USA, LSEG addresses the evolving challenges of financial fraud and digital inclusion in an increasingly digitalised financial sector

MONEY20/20: B4B Payments Unveils Tech Consolidation Plans

B4B Payments reports record US growth while streamlining its global infrastructure through a strategic partnership with Thredd

Money20/20: DailyPay Disrupts Global Wage Access

US fintech DailyPay expands to UK market and partners with Visa as it positions itself to transform payday cycles for workers worldwide

FinTech LIVE Singapore 2025 - The Agenda

Financial Services (FinServ)

How Klarna's IPO Bid Marks Shift From Private Funding

Digital Payments

How Impending Trump Presidency is Spurring Crypto Bull Run

Crypto