[Dave Birch] Over on Digital Money there’s been some discussion about the current state of, and future of, the 3D Secure (3DS) authentication schemes used by Visa and MasterCard to add security to online transactions (under the brand names Verified by Visa and SecureCode). One the problems with the deployment of these services was that customers didn’t really understand the technology and were confused by the sign-up and usage processes. Now the schemes have responded with a raft of efforts to make 3DS more effective.

The research highlighted that consumers wanted to be certain that Verified by Visa was part of the purchase process. A key feature of the new user interface is that the consumer does not leave the merchant site during the identity checking process; instead the Verified by Visa authentication window appears as an overlay on top of the merchant page.

[From Verified by Visa Europe upgraded to improve cardholder experience]

MasterCard has also come up with a way to make 3DS more palatable to consumers and merchants alike.

To date, all e-commerce purchases on Maestro cards leverage MasterCard® SecureCode™ authentication to ensure the highest security for payment card transactions. The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.

[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]

I’m interested in these efforts because if banks found a way to make 3D Secure authentication effective, painless and ubiquitous then it would make sense for other organisations to pay the banks to provide that authentication services to them, rather than build their own versions. In these circumstances I could well imagine using my Barclays thingy (a.k.a. PINsentry) and debit card to log in to do my taxes or whatever.

I have some sympathy with the view that it is better to go with the grain. If the banks come up with a convenient and simple authentication solution, then it will find its own path into the marketplace.

If banks truly cared about offering the right solutions to the problem, they wouldn’t have to make solutions mandatory.

[From MANDATORY Verified by VISA and UCAF SPA]

One of the more interesting ways of leveraging 3DS might be to integrate it into some other, Internet-based, authentication scheme. A good candidate might be OpenID. Now, as previously discussed, OpenID needs strong authentication to be useful for business. 3DS could provide a mass market 2FA addition to OpenID, A direction that might be explored is what you might called “4D Secure”, or 4DS: instead of using bank authentication to log in to something, use bank authentication to log in to an OpenID provider and then use OpenID to log in to things. This has the advantage that service providers site could implement open source standard OpenID solutions rather than interface with 3D Secure. So I go to log in to Tesco using OpenID, I do an OpenID log in using my Barclays credit card and USB contactless interface (my Barclays credit card has PayPass) and off I go. A few minutes later, I log in to The Daily Telegraph comment section again using OpenID but since I’ve already authenticated myself there’s no need to do it again.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: