Delegated Authentication – Abandon Friction, Not the Cart
Online sales surged in response to pandemic-related closures of brick-and-mortar shops and global ‘stay home’ restrictions. However, as restrictions have eased, changes to consumer behaviour have endured, with the convenience of shopping online set to stay.
Fraud has also grown at a frightening pace. The European eCommerce market is expected to hit $465bn this year, 30% more than before the pandemic struck. Losses as a result of fraud however have risen by a staggering 87% in parallel.
Robust security is more important than ever. But while several financial services players have implemented additional authentication methods to improve security, there is still much work to be done.
We are also seeing a secondary knock-on effect that damages the user experience. ‘Step-up’ verification processes - such as push notifications and SMS one-time passwords (OTPs) are inadvertently exacerbating an issue that is top of any online merchant’s mind - cart abandonment (which nearly 40% of consumers cite as a likely outcome when they have account login issues).
What are the common challenges ‘step-up’ authentication creates? And how can new authentication alternatives offer merchants better security and more control of the user experience?
The authentication problem - fighting fraud with friction
Legacy ‘step-up’ authentication methods have become widely used in response to strong customer authentication (SCA) mandates but have added more friction to the checkout process. Disruption during the checkout means as many as 22% of all payments verified via EMVCo 3D Secure – the online payments security specifications used by most major banks – are not completed.
70% of users prefer an authentication solution based on its convenience - something OTPs and passwords are not known for. In fact, 64% refuse to use SMS OTPs altogether. Similarly, push notifications to the user’s banking app also create drop-offs in the payment chain, as users have to switch to a different app. This method has limited reach too, as it’s estimated only half of the users have the app installed.
Forrester research suggests brands can lose over $18bn a year from cart abandonment. Complex checkout and registration processes also drive more consumers to guest checkout options – something even more likely if using a smartphone. This means less valuable customer data captured, a lost chance for loyalty, and on average, lower spending, as registered customers usually spend more.
Legacy ‘step-up’ doesn’t solve the security problem
The added security benefits of these ‘step-ups’ are limited, too. SMS OTPs are still susceptible to social engineering, meaning fraudsters can trick consumers into divulging their codes directly.
A more advanced technique called ‘SIM swapping’ whereby information found publicly or divulged via social engineering is used to impersonate the victim to mobile network operators and take control of the number. A high profile example of this hit the headlines recently as a Canadian teen used the technique to steal $36m USD of cryptocurrency.
Moreover, the banking apps we are directed to via push notifications are still often underpinned by legacy ‘secrets’ such as passwords rendering them ultimately less secure.
A new solution called delegated authentication is emerging as a direct response to these issues, enabling merchants to take control of the authentication process and achieve that rare combination of stronger security with a better user experience (UX).
What is Delegated Authentication?
Delegated authentication is a new and innovative solution in the payment and authentication industry that leverages open standards from industry bodies such as FIDO Alliance and EMVCo -- standards that reflect broad contributions from industry platform and payment stakeholders such as Apple, American Express, Google, JCB, Microsoft, Mastercard and Visa.
Delegated authentication enables qualified merchants or wallet providers to use their own authentication or log-in processes to approve purchases. For the first time ever, it allows merchants to link customer accounts with the 3D Secure payment verification process used by banks. This makes it possible for users to securely log into their merchant account and simultaneously authenticate themselves with their payment provider or bank in advance of making a purchase.
This means that once enrolled; checkouts couldn’t be simpler for end-users. They just need to log in and select the card or payment type they want to use when making a purchase. Because they have already been automatically verified by their payment provider or bank when logging in to the retailer, there is no need for any additional ‘step-up’ verification when checking out.
Why Delegate?
Comply with PSD2 SCA
Europe’s financial services industry is acutely aware of PSD2 (Payment Services Directive 2) and its mandate for SCA, requiring two factors of authentication (2FA) for banking services or payments.
Delegated authentication can link the incoming bank challenge message with the transaction details to enable customers to verify themselves in line with 2FA in one action:
- Possession. The consumer possesses an authenticator either in a general-purpose (e.g. smartphone) or a separate device (e.g. smartcard, security key). As such, authentication validates possession, thanks to a private key securely held in the device.
- Biometric data or knowledge. The second element consists of either an inherence factor like biometrics or knowledge, such as a PIN or geometric pattern, verified locally by the authenticator.
Improve user experience
2FA doesn’t need to mean two steps to verification. With delegated authentication, users can demonstrate two factors of authentication with a single gesture.
Using new delegated authentication industry standards gives consumers a choice to use different form factors such as an authenticator integrated into their smartphones; and their preferred gesture, such as fingerprint, facial verification, or a PIN. This harmonises the user experience across sites and avoids the need to use a different authentication method when different exemption criteria apply, such as transaction value.
Build customer relationships
Offering authentication from your own platform is invaluable to merchants, as it not only enables a better, passwordless checkout experience for customers but it also encourages customers to make purchases while logged in. This fosters greater customer loyalty, decreases guest checkout usage, and results in higher spending, with logged-in customers estimated to spend around 10% more.
Strengthen security
Selecting leading open standards such as FIDO means delegated authentication can benefit from a privacy-by-design approach and have a strong resistance to phishing and man-in-the-middle attacks, whereby attackers interrupt an existing conversation or data transfer by inserting themselves in the middle.
Depending on the implementation, delegated authentication leverages the robust hardware security inherent on the device – in a smartphone; this is the trusted execution environment (TEE); it typically is a TPM for PCs. This use of hardware security is a critical element of FIDO's approach - no sensitive data is ever shared with third parties, protecting privacy, merchant liability and security.
Abandon friction, welcome sales
Strong authentication doesn’t have to mean introducing unnecessary friction. Delegated authentication offers merchants and wallet providers the opportunity to take their SCA compliance to the next level with a better user experience that doesn’t cost them sales. While solutions like passwords and SMS OTPs may tick the box of compliance today, delegated authentication will better safeguard merchants and users now and in the future, as less secure authentication methods may come under further scrutiny and be written out of regulation as not safe enough.
In a thriving market for online retailers, it’s the perfect time to act. Offering a better checkout experience now can ensure merchants build better relationships with customers and do not let sales needlessly slip away.
***
About the author: Andrew Shikiar, Executive Director at FIDO Alliance.
