How FIDO works

Take control of your checkout experience with Delegated Authentication

With only few weeks to go before the PSD2 SCA enforcement, some online merchants are working hard to get ready with their 3D Secure implementation but others are already looking to the future at improving their customer check out experience and for good reasons.

In Ecommerce, merchants want to provide the best payment experience possible to their online customers to avoid card abandonment and improve sales conversion. Merchants want to keep a full control on the check out user experience. Under PSD2, all online transaction should require Strong Customer Authentication before the transaction can be approved. (Some low risk and low value transactions may be exempted from SCA). With 3DS2 protocol which fulfil SCA requirements, the authentication is commonly performed by the issuers which is creating few challenges.

To perform authentication during check out, cardholders are switched from the merchant domain to the issuer domain and backwards which creates unnecessary friction especially if the cardholder is not familiar to this experience. Also, merchant has no control over the Issuer authentication method and often could provide a better authentication user experience themselves using for example device biometrics or merchant log in together with behavioural biometrics, solutions which are easier to provide for merchants who have more data available.

Lastly, with PSD2, cardholders may need to ‘authenticate’ twice, with merchant when they access their account, and with issuer to initiate payment process. As a consequence, unnecessary friction is introduced, and consumer check out experience is affected.

Consequently, merchants that already know their customers and have mechanism in place to authenticate them would prefer to avoid relying on Issues to authenticate, as they might be able to offer better customer experience. On mobile devices, the use of biometrics is already standard and eases the authentication process.

The good news is that PSD2 allows to delegate authentication to third parties including merchants (and wallets) in order to offer a smooth consumer experience while being compliant. This allows consumer to stay all the way within merchant environment either website or app. In order to benefit from Delegated Authentication merchants have two possibilities:

a) Set up of bilateral contracts between the merchant authenticator and the issuers. This may quickly bring complexity in the contract management, due to the high number of issuers to be contracted in Europe.

b) The other option is to sign up with Scheme delegated authentication programs that provide legal multilateral agreements framework. Those delegated authentication programs meet PSD2 requirements and remove the need for bilateral agreements. Schemes are defining a set of rules and minimum requirements to enable issuers to delegate SCA to merchants.

As for merchant authentication, merchants can leverage from FIDO (Fast Identity Online) which is an open industry standard for authentication that support general purpose devices (such as smartphones, laptops,…) and separate devices (such as smart cards, secure token, etc…).

The basic principles of FIDO rely on the public key cryptography that provides simple and strong authentication. More secure than passport and also more convenient than hard token, FIDO provides usability and security. We will not cover in details FIDO authentication here but one should remember that FIDO is fully PSD2 SCA compliant, offers many authentication options and is supported in the 3DS2 protocol.

Merchants, especially big ones, will show increasing interest in Delegated Authentication as they are able to provide a consistent and low friction checkout experience to drive down cart abandonment and increase revenue.

If you want to learn more about Delegated Authentication and why this could be a solution for your business contact us.

To stay up to date and receive our latest posts please sign up to our newsletter.