In a Europe-first implementation in partnership with Netcetera, the FIDO authentication standard for payments was recently instituted at PLUSCARD, a full-service processor for numerous card-issuing institutions throughout Germany.
The solution, developed over several months, enabled secure, unrestricted card payments on the internet without needing a mobile device for mandatory two-factor authentication.
Uwe Härtel, Entersekt’s country manager for central Europe, offers an informative overview of this milestone project and the benefits afforded to cardholders.
The need for app-free strong customer authenticationSince 2019, Entersekt had been engaged in talks with long-standing partner PLUSCARD about the possible use of hardware tokens for strong customer authentication (SCA).
Although most cardholders were already using an app-based solution, it became apparent that a substantial number (PLUSCARD estimates between 10% and 12%) of cardholders were not willing to use a mobile device for authentication. This was due to either security concerns or simply not owning a smart phone.
“Between 10% and 12% of cardholders were not willing to use a mobile device for authentication.”
These customers needed a solution that enabled them to shop online and pay with their cards without having to use an app for two-factor authentication. At the time, the envisaged solution was a hardware token that followed the global and open FIDO standard.
FIDO-certified server and SDK developmentSo, in 2020, Entersekt began developing a FIDO server, which had to be certified by the FIDO Alliance before it could be put into practice. In December 2020, that certification was obtained. As a result, the FIDO server could be integrated into the Entersekt Secure Platform (ESP), while the corresponding web software development kit (SDK) was built in parallel.
It was then over to Netcetera to implement the solution at PLUSCARD, which was followed by a longer phase of joint and repeated testing. After all, the authentication flow had to work flawlessly on all mobile and web browsers.
“The authentication flow had to work flawlessly on all mobile and web browsers.”
On June 16, 2021, PLUSCARD went live with its new FIDO authentication solution, the first German FIDO implementation for payments.
Simple, strong customer authentication using FIDOToday, PLUSCARD customers who have registered their credit cards for FIDO authentication can obtain either a physical FIDO token or opt for an existing FIDO token to use on their PCs. They must register their tokens on the PLUSCARD customer portal. The token is then linked to the customer's card so that all future online purchases can be authenticated, very simply, using a FIDO token.
“All future online purchases can be authenticated, very simply, using a FIDO token.”
A FIDO token is a great deal more secure than SMS OTP, and is therefore a better, safer choice.
An authentication solution with great future potentialIn addition to physical roaming authenticators (USB FIDO tokens), platform authenticators are set to play a greater role in the medium term, too. In essence, by supporting the WebAuthn standard in co-operation with the corresponding crypto chips, a notebook or mobile phone will also become a secure FIDO (platform) authenticator in the future.
Given that PLUSCARD's solution was designed with both methods in mind, it holds a great deal of potential. We’re excited to be on board!
PLUSCARD, Netcetera and Entersekt presented the new FIDO2 solution for payments at ProfitCard Berlin on June 22, 2021. Watch the video (in German).