The World Wide Web Consortium (W3C), which standardizes techniques on the Internet, has announced Secure Payment Confirmation as a new standard. It is designed to simplify and speed up authentication for payment transactions based on FIDO.
Challenges posed by strong customer authentication
There are still three main challenges with card payments in e-commerce: Consumers find 3-D Secure authentication cumbersome and inconvenient. This repeatedly leads to purchase cancellations. On the other hand, 65 percent of losses due to card misuse are in the card-not-present (CNP) area, i.e. mainly in e-commerce. There is obviously a great need for action here. In addition, the risk assessment methods currently in use are not sophisticated enough. As a result, correct card transactions are incorrectly rejected, which annoys the affected customers.
Strong customer authentication has become mandatory for card payments in e-commerce; hence, various solutions have been developed. For example, Mastercard has the Chip Authentication Program (CAP) with technical specifications for using EMV chip cards to authenticate users and transactions in online banking. These and other initiatives face the challenge of organizing broad support across the industry while maintaining a high level of security.
FIDO can solve several problems
The starting point for the development of FIDO was the inadequacy of traditional passwords. Consumers maintain an average of 70 to 80 customer accounts with a wide variety of providers. In the process, 65 percent of users regularly forget one or more passwords. In addition, there are sufficient examples of how easily these passwords can be obtained through phishing attacks or stolen from the providers' servers. One-time passwords (OTP) cannot remedy this situation because this technology works too slowly and achieves a success rate of no more than 85 percent.
The aim of FIDO is to increase the level of security and improve user-friendliness. In principle, with FIDO, users prove their authorization with an "authenticator" that can be uniquely assigned to them. The data exchange is encrypted using a public key infrastructure (PKI).
A wide variety of solutions can be used as authenticators: from an app in conjunction with Touch ID to a USB token. FIDO is now supported by all major hardware and software providers. These include Apple, Google, Microsoft and Samsung, as well as the card organizations American Express, Mastercard and Visa.