Snippet: The move towards two-factor authentication (2FA) is gaining momentum fast, with companies ranging from banks to social media platforms now offering the method as an extra security measure for protecting users’ personal information.

The move towards two-factor authentication (2FA) is gaining momentum fast, with companies ranging from banks to social media platforms now offering the method as an extra security measure for protecting users’ personal information. The major payments networks are no exception. Even though specific authentication techniques can only be mandated by the card issuers themselves, MasterCard, Visa and American Express now all offer 2FA options, based on the 3-D Secure protocol, for identity verification in online credit and debit card transactions.

To recap:

  • Visa’s Verified by Visa: In addition to entering a password, the user can request a one-time password (OTP) to be sent to their mobile phone, which they then enter as a second factor of authentication
  • American Express’s SafeKey: Like Verified by Visa but with the option to send the OTP via e-mail instead of mobile
  • MasterCard’s SecureCode: Like Verified by Visa but with the option to send the OTP via e-mail or, instead, enter a second (static) password, determined by the user at enrolment, in a separate window

Not all second factors are created equal

While these forms of 2FA have helped to reduce card-not-present fraud, they have not exactly been welcomed with open arms by consumers. Dual passwords make the list of things the user has to remember even longer, and the dialog box these are entered into is still open to keylogging. Meanwhile, OTPs typically rely on mobile operators for delivery, and they require additional effort from the user without rendering transactions fraud-proof as a reward. In fact, OTPs are increasingly failing as a security tool, as we discuss in our white paper, OTP: Security past its expiration date. My colleagues have also used this blog to recount successful attacks on OTP-protected banking users in Europe, Japan, Australia, New Zealand, the UK, Turkey and Russia, to name only a few.

In another blow to this already beleaguered authentication method, Visa is now considering discontinuing the use of OTPs in online shopping transactions in Singapore and Brunei. Ooi Huey Tyng, Visa's manager in the area, said there are “growing issues” with the method, including its clumsiness for small transactions, delayed message arrival, and the fact that it doesn’t always work while users are travelling internationally.

Biometric verification is becoming popular as a second factor, but it is not without limits when used on its own. Aside from the fact that fingerprints can be cloned, biometric authentication systems make banks dependent on mobile device manufacturers for the scanning and storage of identification data. (Learn more in our most recent white paper, Biometrics and strong authentication.)

One-touch authentication

At Entersekt, we believe that the only truly trustworthy and accessible second factor is a mobile phone or tablet that is uniquely identified with mobile certificate technology. Together with advanced mobile app security, this second factor allows the online (or mobile) shopper to confirm their identity to their bank or payments network over an out-of-band, end-to-end-encrypted authentication channel, such as the one Entersekt provided to Swisscard in 2013. Swisscard calls it “Simply Safe”, which captures its essence perfectly.

This card-not-present authentication system, powered by our product, Transakt, gives cardholders the option of authorizing their 3-D Secure-protected purchases directly on their mobile phones, instead of entering a static password or OTP. A transaction is approved by simply tapping the “Accept” response after receiving an automatic push message.

This approach is not only more user-friendly than forms of 2FA; it is also more secure. Unauthorized transactions can be stopped in their tracks by responding “Reject” to the push message, and the communication channel over which these responses travel is not susceptible to the threats inherent to OTP or SIM-based authentication systems. The cardholder can complete their transaction instantly, wherever they are in the world, with no fear of fraud.

Visit our 3-D Secure webpage

Subscribe to our blog.


Jolette Roodt

WRITER/ANALYST

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.