FIDO app-free authentication at PLUSCARD, one year later

Technology Payments Banking
This blog is based on an interview originally published in German, in SOURCE magazine.

FIDO is fast gaining popularity around the world for providing secure, frictionless customer authentication experiences. In 2021, Entersekt partnered with Netcetera to help German card issuer, PLUSCARD, launch their FIDO solution – a notable achievement, being the first implementation in the world to use FIDO to authenticate payments.

In June 2022, Uwe Härtel, Country Manager Central Europe at Entersekt, ran a workshop at ProfitCard Berlin, a prominent digital payment conference. He reflected on the game-changing FIDO implementation at PLUSCARD, shared some insights into how things are going one year later, and offered a glimpse into the future of FIDO in payments.   

Here’s what Härtel shared in that Q&A session:

Why did PLUSCARD choose a solution that uses FIDO?

Most cardholders served by PLUSCARD were already successfully using the app-based S-ID check solution for authentication. However, between 10 to 12% of customers were still unwilling to use their mobile devices for strong customer authentication – either because of security concerns or they simply did not own a mobile device.

PLUSCARD wanted to offer these customers a solution that used a hardware token instead, which the global and open FIDO standard allowed. This would enable these cardholders to shop online with their credit cards, without having to use an app for two-factor authentication (2FA).

Entersekt’s Country Manager for Central Europe, Uwe Härtel, speaking at ProfitCard Berlin.

What role does Entersekt play in this partnership?

Together with our partner Netcetera, we have maintained a long-standing and trusting relationship with PLUSCARD. In fact, since 2019, we had been talking about using a FIDO hardware token for customer authentication within the 3D Secure process. 

"Since 2019, we had been talking about using a FIDO hardware token for customer authentication within the 3D Secure process."

To do this, however, Entersekt would have to build a FIDO server and have it certified by the FIDO Alliance. We were pleased to receive this certification at the end of 2020.

The next step was for Netcetera to professionally integrate the FIDO server into the existing PLUSCARD 3D Secure process so that it could go live on June 16, 2021, with the new FIDO authentication solution

A year down the line, is the solution meeting expectations?

The claim was that authentication with a FIDO token would work flawlessly on all mobile and web browsers. However, all parties were also aware that we were breaking new ground since this implementation was the first of its kind. As a result, the FIDO Alliance followed the PLUSCARD project with great interest, and we had many opportunities to present the findings and openly address existing challenges.

"Looking back, there is still room for improvement on the browser support side as well as on the configuration of the merchant checkout pages."

Looking back, there is still room for improvement on the browser support side as well as on the configuration of the merchant checkout pages. For example, we are still fighting to ensure that all browsers (not only Chrome) support cross-origin iframes, which is a prerequisite for a smooth user journey in the checkout process. Another factor is that EMVCo does not prohibit pop-up windows as an alternative solution. I believe these obstacles should be removed urgently.

How will you overcome these hurdles?

Creating the necessary technical prerequisites for smooth functioning on all browsers is unfortunately not in our hands. To this end, the FIDO Alliance, the World Wide Web Consortium (W3C), and EMVCo, will need to jointly define and coordinate the framework conditions for FIDO in the area of payments.

That is why Entersekt, together with Netcetera and PLUSCARD, have taken the initiative to adapt the relevant standardizations and specifications with all three institutions in a way that fully supports FIDO in payments. Expectations are high and, at the Technical Plenary and Advisory Committee (TPAC) meeting organized by W3C in Vancouver in September, PLUSCARD, Netcetera, and Entersekt will report first-hand on their experiences.

What role do FIDO, W3C, and EMVCo play in this partnership?

The FIDO Alliance is committed to the worldwide standardization and dissemination of FIDO technology, while W3C sets all standards on the worldwide web. EMVCo ensures that card-based payments work safely and reliably across the world.

What part does Entersekt play?

Entersekt is an active member of the FIDO Alliance and currently chairs the W3C's Web Payments Working Group. We also actively participate in the Web Application Security Working Group. As an EMVCo Associate, our partner, Netcetera, also supports the latest 3D Secure specifications. 

What does the future of FIDO in payments look like?

We see great potential for FIDO. In particular, the support of iframes by other browsers as well as the new EMVCo 3D Secure 2.3 guidelines, will significantly benefit the enforcement of FIDO authentication for internet payments.

In addition, we believe that the passkeys, officially announced by Apple, Google, and Microsoft, will be a game changer for the further scaling of FIDO. In the future, passkeys will allow a customer to use FIDO across multiple devices with different operating systems (Apple and Android).  

If you’d like to learn more about creating frictionless customer authentication experiences with FIDO, download our ebook, The ultimate guide to FIDO.