Smartphone authentication technology needed for stronger online payments

The retail and payments industries need to consider strengthening their user authentication by using a customer's smartphone to comply with revised security frameworks which will be implemented in 2018/19.

Regulations for online payments are being revised by the European Union which will affect payment service providers and retailers who use these services for online transactions. But using a customer's mobile phone to authenticate payments is being touted in a new report as a way of complying with the new regulations.

The Payments Services Directive (PSD2) – which is expected in 2018/19 – has been preceded by European Banking Authority (EBA) guidelines which came into play over the summer. These guidelines will help organisations become compliant in internet payments, one such suggestion is 'strong customer authentication', which should comprise of two elements: something the user knows (a password or code), something the user possesses (a token or mobile phone), or something the user is (biometrics, such as a fingerprint).

But meeting the EBA's strong customer authentication would mean the end of a customer simply typing their card details into the internet – they would also have to provide additional authentication.

Additional authentication

Alan Goode, founder of consultancy Goode Intelligence said this additional authentication process could happen at a transactional level or when the user logs on to an eCommerce website.

But the act of entering more information goes against the trend where retailers are trying to streamline the customer journey to make it easier to purchase online.

Goode Intelligence and TeleSign have created a whitepaper which describes how payment providers and retailers can operate within the new guidelines to protect payments, while also removing the pain-points.

The whitepaper, entitled 'Weak user authentication is enabling fraud', suggested using TeleSign's identity solutions which use smartphone-based authentication.

Andy Tobin, director of identity services at TeleSign, used the example of a banking customer who travels abroad and finds their card has been automatically blocked – he said this type of technology could authenticate the customer's whereabouts using their mobile phone to inform the bank that the card has not been stolen, avoiding the hassle of unblocking cards.

He says the mobile phone becomes a natural authentication device – always with the owner and nearly always on.

One step further again, TeleSign's mobile idenitiy could be used to map a user's behaviour using location data to spot patterns which can distinguish between a legitimate device owner and a potential fraudster.

Tobin argued this technology could potentially make current online payment authentication even more seamless.

"At the moment it's when you execute a payment, it is done at that point of authentication. But with better mechanisms, you could authenticate as soon as you get on the website, and the payment activity becomes a background activity," he said, using Uber as an example of a streamlined payment processes as the company knows who you are before you step into the car because you requested it from your mobile phone.

Goode concluded: "Retailers know clunky payment processes lead to cart abandonment. And if they're poorly authenticated, customers go to an alternative retailer. Retailers should leverage inbuilt characteristics of a mobile phone, which are invisible and have less friction."

For more information, click below: