Multifactor authentication (MFA) can make mobile payments seamless without sacrificing security, thanks to new developments in identity management. In March 2022, the PCI Security Standards Council (PCI SSC) released version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS), making MFA a key requirement. That same month, the FIDO Alliance enhanced its standard, making MFA more frictionless in stores and online.
As a payments industry journalist, I’m fascinated by the flexible architecture and interpretive discussions that shape next-generation commerce. In recent interviews, security leaders addressed MFA from compliance and deployment perspectives. A key takeaway from these discussions is the idea that MFA, with the right framing and implementation, can potentially enrich the customer experience.
Migrating to MFA
Emma Sutcliffe, senior vice president, standards officer at the PCI SSC, thanked PCIDSS v4.0 supporters for their insights and feedback. Contributors included merchants, financial institutions, acquiring organizations, service providers and vendors, she stated, from North America, Canada, Central America, Europe and Asia Pacific.
When reflecting on topics discussed during the Council’s Request for Comment (RFC) period, Sutcliffe said MFA was by far the most popular. “PCI DSS Requirement 8, which concerns multifactor authentication, passwords and authentication systems, received the most comments,” she said, with questions ranging from MFA implementation and password best practices to how authentication requirements align with other robust industry standards.
PCI DSS v4.0 makes MFA a requirement for anyone accessing the cardholder data environment (CDE), Sutcliffe explained, whether it’s servers, firewalls and networking gear. However, companies have two years to implement the new standard, she added, noting that existing PCI DSS v3.2.1, is mature and robust enough to protect them during that lengthy transition.
Making MFA frictionless
As security experts have noted, the biggest pain points in authentication occur when users transition from one device, browser or platform to another. In March 2022, the FIDO Alliance solved for this issue by enhancing its WebAuthn specification and introducing a multidevice credential designed to authenticate users across multiple devices and browsers. A March 2022 white paper, “How FIDO Addresses a Full Range of Use Cases,” positioned the enhancements as phishing-resistant alternatives to password-based authentication.
“Use cases that are at a lower level of security (including password-only and phishable two-factor deployments), however, currently face the traditional security-versus-usability trade-off when considering FIDO: FIDO can deliver better security, but that higher security comes at a price—the user has to adopt a special purpose authentication device (security keys),” FIDO researchers wrote. “As a result, many relying parties keep their users in a password-only mode, or at best, offer phishable second factors.”
Researchers mentioned the proposed changes to WebAuthn transform a user’s smartphone into a roaming authenticator to better support authenticator implementations, particularly for platform authenticators that sync FIDO credentials across user devices. They claimed this cost-effective authentication method matches the ubiquity of passwords while being less risky.
Deploying MFA globally
The FIDO Alliance white paper was released during “Authenticate: The FIDO Fit in Commerce,” a virtual summit held March 30 and 31, 2022, in the United States and Europe. The event included my interview with Manish Gupta, director of global cybersecurity services at Starbucks, and Tola Dalton, director of identity software development at eBay, who shared perspectives on passwordless authentication.
Gupta underscored Starbuck’s commitment to creating simple and secure identity solutions. “I’m driving adoption and implementation of passwordless solutions at Starbucks and behavioral authentication solutions, all towards the goal of gaining maturity in terms of Zero Trust,” he said.” We look at these authentication improvements as considerable labor savings for our employees and customers.”
Dalton recalled eBay was an early adopter of biometric authentication in its native app and one of the first major ecommerce companies to roll out WebAuthn to millions of users. “We’re in the middle of our passwordless journey with a very large established user base,” he said. “And I’m extremely passionate in advancing our passwordless vision and getting to what I see as an industry turning point in authentication.”
One small step
Gupta and Dalton agreed authentication as a separate step is disappearing as multifactor authentication becomes increasingly seamless, agile and intuitive.
For Gupta, combining authentication and payment into one cognitive step is an improvement, but getting there will require global enterprises to deal with disparate cultures, regions and regulatory environments. Even in the United States, biometric regulations vary from state to state, he noted, due to consumer privacy concerns. “So, again, it’s not a [once-and-done],” he said. “You always have to keep up with regulations because they change.”
Dalton concurred that authentication as a separate step should disappear. “This is a theme I’ve heard from another colleague who said if we’re doing our job with identity, we [need to] get out of the way of the user,” he said. “If you want strong, passwordless authentication, make it easy and intuitive, and convince the customer that this is actually an easy login method.”
With multifactor authentication soon to be a requirement for PCI compliance, advanced approaches to MFA will mitigate risk, drive consumer adoption and simplify global deployments, benefiting the entire commerce value chain.
A video of the FIDO Alliance discussion is available at https://authenticatecon.com/content/best-practices-for-user-experience-for-e-commerce-authentication/.
Dale S. Laszig, managing director, DSL Direct, is a payments industry journalist and content strategist. Follow her on LinkedIn at https://www.linkedin.com/in/dalelaszig/and https://twitter.com/DSLdirect on Twitter.