Payment gateways and financial service providers are squeezed between the need for security and the urge for user convenience. User-friendly authentication is the answer to this dilemma.
Two-Factor Authentication, 4 Best Ways to Protect Payments
The digital payments ecosystem is becoming larger and more complex by the day; what’s more, it faces new challenges in the form of regulation compliance, cyber fraud and increased consumer expectations. Facilitating a total transaction value in the amount of $3,265,209 million in 2018 with 13.5% growth rate between 2018-2022, according to Statista, the digital payments market continues to grow immensely thanks to the convenience it provides consumers.
While easy payment processing has always been a core pillar of electronic payments, it does come with hindrances. The more valuable accounts and payments become, the more attractive they are to fraudsters. With cybercrime estimated to reach costs of $6 trillion annually by 2021, up from $3 trillion in 2015, according to CSO Online, stepping up security is now a must-have.
But it is not easy, especially as most of the transactions processed by digital payments come from e-Commerce, a market deeply concerned with user experience and plagued with abandonment rates. The market pressure to avoid disruptions or anything that might prompt the user to leave prior to checkout has a powerful effect on how digital payments have been built.
Nonetheless, ensuring that electronic payments are secure can no longer be ignored. Regulations such as Payment Service Directive 2 (PSD-2) in the European Union forces players in the electronic payments market to take action with Strong Customer Authentication (SCA). Every new hacking scandal, payment related or not, brings a new wave of concerns for enterprises and consumers alike.
Even if transaction-only security is not enough — two-factor authentication (2FA) should be applied throughout the entire customer journey — payment is perhaps the most crucial point that must have the perfect balance between security and user experience. If a transaction is too security-driven, it might scare away customers and decrease conversion rates; if it is too loose on the security side, it might attract fraudsters, who will be more likely to attack your users. User-friendly authentication is, therefore, paramount to balancing security and convenience.
How can you set up user-friendly authentication for payments? We’ve got a few optimal practices to share with you.
1. Use the mobile phone number as a trusted digital identity
The first step to upgrade security is to identify your customer. In a traditional retail experience, if a customer pays with a credit card, it is common practice to ask for an ID. In e-Commerce, ID verification works less reliably, as the identity is established usually as an email account. Most payment providers will use email as the main identifier, even though email is not usually reliable due to the ease of creating accounts in bulk. This creates the need to establish a more reliable identifier, even if it is a complementary one, such as the mobile phone number. Because phone numbers are unique and difficult to steal, they are a more reliable identifier to verify an identity as well as a transaction (usually via SMS or voice call). In addition, phone numbers can be used for additional security diagnostics that prevent SIM swaps and fraudulent account takeovers or transactions. Stripe, one of the largest payment providers globally, has implemented a secure checkout using a mobile phone number as an identifier, with single-use SMS codes to verify transactions.
However, users might be less keen to share their mobile phone number, due to privacy concerns or spamming. Hence, take this concern seriously and provide users a strong and clear explanation as to why their phone numbers are needed, and how they can help to keep their accounts and payments secure.
The user-friendliness and speed of utilizing a familiar process to verify transactions, minimizes chances that users will get distracted by something else on their phones and do not complete their check-out process.
2. Escalate authentication when you have to
Authentication is not a “one-size-fits-all” service. From a payment – and even regulatory – point of view, authentication steps should be implemented according to different variables, such as a transaction value, device used for the transaction, recurrent or new payments and more. There are many factors that might impact how the security journey will be created.
To make security as easy as possible for users, customers should only be asked to provide additional authentication factors when there is a higher chance of fraud risk, such as a high transaction value, login from unusual device or location or when any changes to a phone number have been made (risk of SIM swaps). By assessing the risk first via context-based information such as location, network device settings, whether the phone is roaming and time of day, it becomes easier to determine whether the user is whom they claim to be. If the context information shows questionable behavior in an attempted access, transaction or account recovery, then the system asks for a second authentication – or multiple – method(s).
By reducing the customer interactions when they are not really needed, this adaptive authentication not only improves the customer experience while also strengthening security, but it also limits the operational overhead associated with stronger security controls.
3. Give customers context when their interaction is needed
The new EU payment regulation – PSD2 – touches an important point to prevent fraud while making authentication more user-friendly: providing context not only to support silent authentication (with zero or less customer interaction), but also to offer contextual information when the customer needs to act. According to PSD2, in relation to payment authentication especially, the principle of dynamic linking should be provided to users such as the transaction amount and the payee information, offering customers relevant information prior to authorizing a payment.
This extra mile gives customers more control over what they grant access to and what to deny. Providing direct communication mechanisms to report fraudulent attempts via a direct call or message to an agent can reduce fraud dramatically as well.
4. Provide a choice of authentication options
A wide variety of authentication methods are available for good reason: Different customers — as well as use cases — have different needs. This level of flexibility is needed not only from a usability point of view, but also how this is integrated into your customer journey and infrastructure.
A user-friendly authentication solution can provide an array of authentication methods instead of focusing on just one option. The most common ones in the industry are hardware tokens, soft tokens or Time-based One-time Passwords (TOTP), push, biometrics and SMS/voice.
There are pros and cons for each of these authentication methods; for example, while hardware tokens are very secure, they are perhaps the least user-friendly and also very expensive. Soft tokens or TOTP, also known as authenticator apps, are more secure than SMS but would not comply with PSD2, as OTPs are generated independently of the payment authorization and therefore cannot fulfill the dynamic linking requirement. SMS and voice have faced a good share of hacking scandals, but continue to provide user-friendly access to security procedures, and can be strengthened with additional controls, such as context-based authentication. Push is perhaps the best combination of security and user friendliness, but the user needs to have your app downloaded and access to data connectivity.
Therefore, payment providers aiming to offer users authentication options should be aware of the pros and cons of each authentication method to better understand how they can be integrated into their payment authentication flows. The key is to utilize methods according to how security escalates and leverage the strength of each method for different situations.
Payment providers, money transfer services and more can make a big leap in stepping up security with user-friendly authentication, applied throughout payment workflows and beyond. But authentication needs to be implemented strategically, not as an afterthought, being a core part of your payment product.