It might not be the most widely celebrated international celebration, but this year’s World Password Day (today), might be the last. At least for Europe – where PSD2’s Strong Customer Authentication (SCA) requirements will help put an end, once and for all, to the use of passwords to authenticate payments.
It is a wonder we have waited so long. Indeed, the computer password is over 50 years old – invented by Fernando Corbato in the 1960s. Since then, efforts to enter a password, mother’s maiden name, and first pet have frustrated even the most patient of consumers.
What’s more, tactics to remember passwords often include writing them down, repeating them for multiple accounts, or picking something that can be easily guessed. According to security company SplashData the two most commonly used passwords are “123456”, and “password” – a dream for hackers and fraudsters, despite the prevalence of password managers.
- The dangers of password sharing at work
- Major security issues found in popular password managers
- How password neglect is helping hackers win
Time for change
The payments ecosystem has changed, and so must the way we keep it secure. Advancements in authentication and anti-fraud technologies are such that even signatures and PINs are becoming optional for some banks and merchants. In October 2018, signature became optional for EMV® Chip-enabled merchants on the Visa payment network due to the security capabilities of the chip. Meanwhile, EMV’s 3D Secure 2.0 can review 10 times more data than ever before – allowing online transactions to be assessed for risk in the background, often without asking the consumer to do anything at all. Finally, the growing sophistication of artificial intelligence is making fraud detection faster and more accurate.
Against this backdrop of advanced security, the password is mismatched. Taking advantage of the latest technologies and SCA exemptions means that, even after 14 September, the only real reason we should need to ask consumers to take further steps is to either check in with them to make absolutely sure they are the right cardholder, or because we spot something unusual about their payment that could indicate fraud. If the former, we want a form of security that reassures consumers. If the latter, we want something that is so robust a fraudster would fail the test. The password does neither.
SCA gives us the opportunity to explore a new approach, for the modern consumer. The only question now is not if we should provide customers with upgraded authentication, but which method to choose.
There are many forms of authentication, and more to come – thanks to an open and collaborative ecosystem that encourages innovation. But currently the two main successors to the password throne are one-time-passcodes (OTPs) and biometrics.
For many, OTPs are the more obvious choice. Using a unique code far surpasses the security provided by a password, and sending it to a mobile phone – registered to a specific cardholder and probably within their reach – is convenient. The authentication is also the code, not the device, meaning it can also be sent to email addresses or even work through landlines, to suit different needs. It is also familiar – consumers regularly use OTPs to log into emails and online banking, and much of the infrastructure required is already in place.
The more glamorous option, of course, is biometric authentication. Once only a feature of spy films, biometrics are now commonplace. In the 6 short years since fingerprint sensors were integrated into smartphones consumers have grown increasingly comfortable with the approach. A survey commissioned by Visa in the US showed consumers welcome the use of biometrics as faster, easier, and more secure alternatives to passwords. 83 percent of consumers are interested in using fingerprint recognition to verify identity or to make payments and 59 percent are already familiar with biometrics. Biometric authentication can deliver the enhanced security SCA offers, without the friction many in the industry fear.
Perhaps the answer is to let customers have the choice. SCA not only gives us the opportunity to abandon passwords, it also removes the need to restrict authentication to one method. Certainly, the same consumer that might be happy to use a fingerprint when paying on their phone on the go, might prefer an email OTP when buying plane tickets on their home desktop. We have the infrastructure in place for flexibility, consumers have the appetite, and PSD2, after all, is partly about increasing choice.
Convenience is in the eye of the beholder, and if we’re trying to avoid friction, perhaps the answer is to let the customer decide.
Mark Nelsen, SVP of Risk and Authentication Products at Visa