Payment gateways and financial service providers are squeezed between the need for security and the urge for user convenience. User-friendly authentication is the answer to this dilemma.
The digital payments ecosystem is becoming more extensive and complex by the day; what’s more, it faces new challenges in the form of regulation compliance, cyber fraud, and increased consumer expectations. Facilitating a total transaction value of $3,265,209 million in 2018 with a 13.5% growth rate between 2018-2022, according to Statista, the digital payments market continues to grow immensely thanks to the convenience it provides consumers.
While easy payment processing has always been a core pillar of electronic payments, it has hindrances. The more valuable accounts and payments become, the more attractive they are to fraudsters. With cybercrime estimated to reach costs of $6 trillion annually by 2021, up from $3 trillion in 2015, according to CSO Online, stepping up security is now a must-have.
But it is not easy, especially as most of the transactions processed by digital payments come from e-Commerce, a market deeply concerned with user experience and plagued with abandonment rates. The market pressure to avoid disruptions or anything that might prompt the user to leave before checkout has a powerful effect on how digital payments have been built.
Nonetheless, ensuring that electronic payments are secure can no longer be ignored. Regulations such as Payment Service Directive 2 (PSD-2) in the European Union forces players in the electronic payments market to take action with Strong Customer Authentication (SCA). Every new hacking scandal, payment-related or not, brings a new wave of concerns for enterprises and consumers alike.
Even if transaction-only security is not enough — two-factor authentication (2FA) should be applied throughout the entire customer journey — payment is perhaps the most crucial point to have the perfect balance between security and user experience. If a transaction is too security-driven, it might scare away customers and decrease conversion rates; if it is too loose on the security side, it might attract fraudsters, who will be more likely to attack your users. User-friendly authentication is, therefore, paramount to balancing security and convenience.
How can you set up user-friendly authentication for payments? We’ve got a few optimal practices to share with you.
1. Use the mobile phone number as a trusted digital identity
The first step to upgrade security is to identify your customer.
In a traditional retail experience, if a customer pays with a credit card, it is common to ask for an ID. In e-Commerce, ID verification works less reliably, as the identity is established usually as an email account. Most payment providers will use email as the primary identifier, even though email is not typically reliable due to the ease of creating accounts in bulk. This makes the need to establish a more reliable identifier, even if it is complementary, such as the mobile phone number. Because phone numbers are unique and difficult to steal, they are a more reliable identifier to verify identity and a transaction (usually via SMS or voice call). In addition, phone numbers can be used for additional security diagnostics that prevent SIM swaps and fraudulent account takeovers or transactions. One of the largest payment providers globally, Stripe has implemented a secure checkout using a mobile phone number as an identifier, with single-use SMS codes to verify transactions.
However, users might be less keen to share their mobile phone numbers due to privacy concerns or spamming. Hence, take this concern seriously and provide users with a solid and clear explanation for why their phone numbers are needed and how they can help keep their accounts and payments secure.
The user-friendliness and speed of utilizing a familiar process to verify transactions minimize the chances that users will get distracted by something else on their phones and not complete their check-out process.
New messaging channels based on the phone number, such as WhatsApp, can provide a great combination of security and user-friendliness. Because WhatsApp provides fully encrypted business solutions, companies can utilize this channel to shoot 2FA codes globally with a much reduced risk than SMS or voice calls.
2. Escalate authentication when you have to
Authentication is not a “one-size-fits-all” service. From a payment – and even regulatory – point of view, authentication steps should be implemented according to different variables, such as a transaction value, device used for the transaction, recurrent or new payments, and more. Many factors will play a part in how the security journey is created.
To make security as easy as possible, users should only be asked to provide additional authentication factors when there is a higher chance of fraud risk, such as a high transaction value, login from an unusual device, or when any changes to a phone number have been made (risk of SIM swaps). By assessing the risk first via context-based information such as location, network device settings, whether the phone is roaming, and time of day. If the context information shows questionable behavior in attempted access, transaction, or account recovery, the system asks for a second authentication – or multiple – method(s).
By reducing the customer interactions when they are not needed, this adaptive authentication improves the customer experience while also strengthening security and limiting the operational overhead associated with more robust security controls.
3. Give customers context when their interaction is needed
The new EU payment regulation – PSD2 – touches a critical point to prevent fraud while making authentication more user-friendly: providing context to support silent authentication (with zero or less customer interaction) and offering contextual information when the customer needs to act. According to PSD2, concerning payment authentication primarily, the principle of dynamic linking should be provided to users, such as the transaction amount and the payee information, offering customers relevant information before authorizing payment.
This extra mile gives customers more control over what they grant access to and what to deny. Providing direct communication mechanisms to report fraudulent attempts via an immediate call or message to an agent can reduce fraud dramatically.
4. Provide a choice of authentication options
A wide variety of authentication methods is available because different customers and use cases have different needs.
A user-friendly authentication solution can provide an array of authentication methods instead of focusing on just one option. The most common ones in the industry are hardware tokens, soft tokens or Time-based One-time Passwords (TOTP), push, biometrics, and SMS/voice. Now, WhatsApp is increasingly being used for authentication, too.
Each authentication method has pros and cons; for example, while hardware tokens are very secure, they are perhaps the least user-friendly and costly. Soft tokens or TOTP, also known as authenticator apps, are more secure than SMS but would not comply with PSD2. OTPs are generated independently of the payment authorization and therefore cannot fulfill the dynamic linking requirement. SMS and voice have faced a good share of hacking scandals, but continue to provide user-friendly access to security procedures and can be strengthened with additional controls, such as context-based authentication. Push is perhaps the best combination of security and user-friendliness, but the user needs to download your app and access data connectivity. And lastly, while companies remain unsure if WhatsApp makes a good authentication method, its encrypted solution backed by a thorough business verification process has proven to work adequately to secure accounts and transactions.
Therefore, payment providers aiming to offer users authentication options should be aware of each authentication method's pros and cons to understand better how they can be integrated into their payment authentication flows. The key is to utilize techniques according to how security escalates and leverage the strength of each method for different situations.
Payment providers, money transfer services, and more can make a giant leap in stepping up security with user-friendly authentication, applied throughout payment workflows and beyond. But authentication needs to be implemented strategically, not as an afterthought, being a core part of your payment product.