By Mark Nelsen (*)
It may not be the most celebrated international celebration, but this year's World Password Day (today) may be the last. At least for Europe – where PSD2's Strong Customer Authentication (SCA) requirements will help put an end, once and for all, in the use of passwords to authenticate payments.
It is to think that we waited so long. In fact, the computer password is more than 50 years old – invented by Fernando Corbato in the 1960s. Since then, efforts to select a password whether the maiden name of the mother or the first pet have even frustrated the most patient of consumers. In addition, tactics for memorizing passwords often include writing them down, repeating them in multiple accounts, or choosing something that can be easily guessed. According to security company SplashData, the two most used passwords are "123456" and "password" – a dream for hackers and fraudsters.
It's time for change
The payments ecosystem has changed, so we must keep it safe. Advances in authentication and anti-fraud technologies are such that even signatures and PINs are becoming optional for some banks and merchants.
In October 2018, subscription became an option for merchants and issuers of the EMV® chip on Visa's payment network due to its security capabilities. However, EMV's 3D Secure 2.0 can now review 10 times more data than ever before – allowing online transactions to be risk-weighted in the background, often without asking the consumer to do anything at all. Finally, the development of artificial intelligence allows fraud detection to be faster and more efficient.
The password becomes incompatible with this advanced security scenario. Taking advantage of the latest technologies and SCA exemptions means that even after September 14, the only real reason we ask consumers to take additional action is to check in to make sure they are the right holders or identify something unusual about the payment of the same that could indicate fraud. In the first case we want a security method that reassures consumers. In the second, we want something that is so robust that a fraud author fails the test. The password does not cover any.
SCA gives us the opportunity to explore a new approach for the modern consumer. The only issue right now is not whether we should provide customers with up-to-date authentication, but rather what method to choose.
There are many forms of authentication and even more on the way – thanks to an open, collaborative ecosystem that encourages innovation. But currently the two main successors to the throne of passwords are unique passwords (OTPs) and biometrics.
For many, OTPs are the most obvious choice. Using a unique code far exceeds the security provided by a password, and sending it to a mobile phone – registered to a specific account holder – is convenient. Authentication is the code, not the device, which means it can also be sent to email addresses to meet different needs. It's also easily familiar – consumers regularly use OTPs to log in to online emails and banking, and much of the required infrastructure is already in place.
The most glamorous option, of course, is biometric authentication. Once only a feature of espionage films, biometrics is now commonplace. In the 6 short years since fingerprint sensors were integrated into smartphones, consumers have become increasingly comfortable with this approach. A study certified by Visa in the US has shown that consumers are receptive to the use of biometrics, as it allows for alternatives to faster, easier and safer passwords. 83% of consumers are interested in using fingerprint to verify identity or make payments and 59% are already familiar with biometrics. Biometric authentication enables the best that SCA security can deliver without the friction many in the industry fear.
Perhaps the answer is to let customers have the choice. SCA not only gives you the opportunity to abandon the passwords, it also eliminates the need to restrict authentication to a method. Certainly, the same consumer who may be satisfied by using fingerprints to pay on their cell phone in transit may also prefer an OTP when buying plane tickets via email on their desktop. We have the infrastructure for flexibility, the consumers have the appetite and the PSD2, after all, is in part a matter of increasing choice.
Convenience is at the heart of consumer decisions, and if we are trying to avoid friction, perhaps the answer is to let the consumer decide.
(*) senior vice president of Visa risk and authentication products