Strong Customer Authentication and Where One-Click Authentication Methods Fit In

strong-customer-authentication-and-where-one-click-authentication-methods-fit-in

Is it possible to have Strong Customer Authentication and a great user experience?

Back in 2015, the European Union passed an improved version of the Payment Services Directive (PSD2) with the intention to provide consumers and businesses with an easier, safer way to manage their online payments.

This would be done by breaking down banks’ monopolies on user data, introducing new services as intermediaries between the users and the banks, and – our favorite part, and what we’ll be discussing in this post – demanding strong customer authentication (SCA).

Although Strong Customer Authentication enforcement was originally due in 2019, the deadlines were extended to December 31, 2020, for the EU, and September 14, 2021, for the UK.

As banks, payment processors, and fintech companies scrambled to get everything in order serious concerns regarding the deteriorated user experience arose. And in today’s economy where 53% of mobile visits are abandoned if a page takes more than three seconds to load, it makes perfect sense.

If that’s the stat, then what should you expect after adding a whole authentication step to your checkout process? Not much of a change, if you go about it wisely.

Firstly, Strong Customer Authentication is there to protect both your business and your customers. Secondly, implementing complementary and effective mobile authentication options can preserve, or even improve, your user experience.

Let’s break it down.

What is Strong Customer Authentication

Strong Customer Authentication calls for using at least two out of three authentication factors – 1) something a user knows, 2) something a user is, and 3) something a user has.

Something a user knows refers to a password, a pin, or an answer to a security question. It’s important to note that payment card numbers, CVV, or expiration dates aren’t considered valid here.

Something a user is refers to biometric authentication – a fingerprint, face ID, voice ID, etc.

Finally, something a user has refers to a hardware token, smart card, wearable device, smartphone, or another piece of hardware that a user possesses.

Is this the case for all transactions?

The SCA Exceptions

There are some exceptions to the Strong Customer Authentication rules:

Any transaction under €30 is allowed to go through without SCA, with two “buts” –

    The exact amount threshold will depend on the fraud rate of the certain bank or issuer, similar to the way in which credit scores work;
    Every fifth transaction under €30 will be challenged, as well as when the combined value of your transactions goes over €100.

That being said, the majority of the transactions will not fall under these exceptions. So, what would be the best combination of authentication factors?

SCA vs. Today’s Mobile User Authentication

The majority of the internet today relies on some combination of username/ password and SMS OTP mobile authentication. However, if you’re looking for great security with a frictionless user experience, passwords and SMS OTPs aren’t the right choices for you.

By now, you probably know that passwords are far from ideal for mobile authentication – they aren’t very tricky to hack and the risks are huge with the password re-usage statistics.

On the other hand, SMS OTP comes with the fatal SS7 flaw that enables hackers to easily reroute or intercept the codes you receive over SMS. And don’t forget about SIM swapping!

In fact, with its low code delivery and conversion rates, SMS OTP is just one of the reasons behind the fear of implementing strong customer authentication.

A great user experience isn’t one of the features of these two authentication methods.

As a more secure alternative to SMS OTP 2FA, we have the authenticator app two-factor authentication. However, the user experience diminishes even further here.

If you’re looking for a great user experience, biometric authentication is the way to go.

Not only does it take only seconds to authenticate, but we are familiar with biometric authentication and use it every day on our phones.

Sure, privacy concerns will arise. But, that’s just it –

No authentication option is good enough on its own. It’s precisely the point of SCA to have multiple authentication factors to cover for each other.

So, let’s say that you have opted for biometrics as the best choice from the options outlined above. What other authentication factor should you consider?

Enable Strong Customer Authentication, AND Provide Frictionless User Experience

IPification fits in the combination as the “something the user has” factor. It’s a great, modern replacement for currently used SMS-based two-factor authentication methods.

It works by assigning a unique mobile identity key to each user based on their phone number, SIM card, and device data. To authenticate, the user needs only click once to request verification. They are then verified against their mobile identity key within milliseconds. In fact, since the user is only verified against their complete mobile identity key, SIM swapping isn’t an issue either.

IPification relies on the already existing mobile network operator infrastructure and helps them open up new revenue streams by monetizing these authentication channels while helping service providers increase their own.

It’s able to be implemented as part of an MFA system enabling compliance with strong customer authentication. As part of your Strong Customer Authentication process, IPification could work together with biometrics, or even username/ password authentication. With the full IPification technology suite enabled, the IPificaiton authentication option is capable of running in the background!

More importantly, it streamlines the user experience so that your business doesn’t risk the skyrocketing of abandoned carts, and instead closes sales.

It’s important to remember that while 70% of users prefer an authentication option for its ease of use, it doesn’t mean that they don’t care about their online security. It’s quite the opposite.

If you want IPification to become a part of your SCA process, schedule a call with us.

More on our blog