This document discusses 3-D Secure 2.0 and authentication methods. It provides statistics on failure rates for static passwords (45%) and SMS OTP (4%) for authentication. It advocates for simplicity in authentication methods and allowing users to switch between methods conveniently. The document also discusses refreshing old concepts for 3-D Secure like pre-authorization, decoupled authentication, and post-authorization to better support risk-based authentication and regulatory requirements.
4. Our CV
○ We have walked the ways of 3-D Secure
since the early days.
○ One out of 2 cardholders in Germany rely
on us.
○ Many more do so in Switzerland.
4
6. 45 %
Is an average failure rate for people using a static
password as means of authentication.
6
7. 96 %
Is a proven, achievable success rate for an SMS OTP
authentication mechanism.
7
8. 70 %
When using an App which is secured by a PIN the
number or successful authentications drop again .
8
9. Simplicity
Don’t overload a user
with fall-back means
(just because we cover
up for a technical
insufficiency).
As used sporadically
and “under stress”,
they often turn into a
failure.
Simplicity,
when the time
is right
Timing
Allow your users to
switch between
authentication methods
at their convenience.
Ensure your migration
strategy is soft.
9
12. Yes, to
anything! Our customers have
experimented with Risk-Based
Authentication already under
3DS 1.0 throughout the entire
life cycle, from provisioning a
card for an authentication
method to securing each and
every transaction.
12
14. All for 1, but still
behind “walls”. 3-D Secure
Authorize
Prevent
Fraud
14
15. Pre-Auth
Make sure your risk
score is produced based
on information from a
fraud prevention system,
not only on the limited
“profile” of this single
CNP trx.
Auth (de-coupled)
Allow an authentication
request to be initiated
de-coupled from the 3-D
Secure protocol flow.
Post-Auth
Provide a feed of real-
time information for
every 3-D Secure
request directly into the
authorization systems.
Let’s refresh
some (old)
concepts.
Benefit:
For example to fully live
up to Low Value
Excemption concepts
being imposed by
regulators.
Benefit:
A merchant has decided
to skip 3-D Secure, the
authorization might
want to reject the trx,
but can be “overruled” if
the user is again
prompted to
authenticate the trx.
Benefit:
Achieve a full fleshed trx
monitoring based on
real-time data.
15
16. “
«If you want to be successful in a country
where freedom is scarce, give your
employees, customers and partners the
freedom to think, experiment and act, and
you will succeed in nearly anyhting”.
- A friend from a country far South.
16
18. Credits
Special thanks to all the people who
made and released these awesome
resources for free:
○ Presentation template by
SlidesCarnival
○ Photographs by Unsplash
18