For the better part of the last decade, “frictionless” has been the gold standard when it comes to consumers’ interactions with merchants at checkout. In a world that is moving rapidly to mobile, the conventional wisdom is that the fewer stutter steps introduced to the checkout process, the better, as roadblocks are likely to bounce the consumer to the next available site.
And, as Boku’s Head of Identity Stuart Neal told PYMNTS in a recent conversation, the biggest names in the game – Apple, Google, Amazon and the like – have had vast resources at their disposal to invest in artificial intelligence (AI) and other security tools to create frictionless checkouts in a fairly secure way. What they bring to the table, he noted, is the ability to fully invest in armies of programmers to build incredibly sophisticated machine learning algorithms, which provide a very accurate picture of who their customers are and how they typically interact.
“It gets slightly more prickly with merchants further down the food chain who don’t have those resources at their command, and don’t have the ability to analyze their customer interactions and model these things out,” Neal pointed out. “What you get there is a replication of a frictionless journey that is happening in a much less secure way.”
And that is creating something of a sea change in how the world – particularly the regulatory world – sees those frictionless interactions, and the degree to which the merchant has been able to take ownership of the full consumer journey. With the advent of PSD2’s SCA, which started rolling out in September with an implementation deadline of March 2021, we are seeing regulators stepping in to provide financial services players with the framework for ensuring consumer identity.
The good news, according to Neal, is that the intent of the regulatory changes is understood and respected. The less good news? The lack of clarity around certain details, like the exact criteria for secure authentication, what counts as adequate proof of possession or adequate inheritance, and whether a knowledge factor will be leveraged. Those factors all remain cloudy and a source of frustration for most players watching the regulatory path unfold.
“I am not sure in the shorter term whether this is actually helping things,” Neal noted.
SMS As A Microcosm
Two-factor SMS authentication, Neal noted, offers a microcosm into how the details of the debate can get a bit lost and shuffled. Having been to meetings with various regulators and trade bodies trying to solve for the SCA’s two-factor authentication requirement was eye-opening in a surprising way, he said, in that it was simply assumed that SMS one-time password (OTP) would be the first factor. SMS has the great benefit of being nearly ubiquitous among consumers, Neal said, and the method is fairly simple, straightforward and final. If a customer can receive the authentication text, odds are good that they are in possession of their phone.
But there are some big problems there as well. Synthetic identity thieves can intercept those authentication texts, which means they are vulnerable to a host of man-in-the-middle attacks. Moreover, Neal pointed out, they create a pretty unpleasant source of friction that acts as a conversion killer: Studies show that 10 percent to 15 percent of consumers bail on the transaction when an SMS verification is sent their way.
“No one in the group I interacted with was looking for a better solution for OTP as an instrument to determine possession,” said Neal. “And at Boku, we know we are sitting on better solutions that provide more security and are much less friction-intensive. My argument will always be: If you can solve for possession without issuing passwords into the ether, that is something we ought to explore as a better way of proving possession.”
In Boku’s case, that means using the data from their mobile phone networks to build that carrier billing network to essentially provide the same information as an SMS OTP message – but invisibly, in the background. They can see whether the transaction is coming from the phone one would expect (i.e., the one associated with the account), and that no major changes have recently happened to that phone that might flag a man-in-the-middle attack. The customer never sees or feels it – it happens in a fraction of a second on the backend – but it offers a clear, certain answer to the question of whether it’s the right phone.
It’s not enough to be the all-encompassing answer, Neal noted, but it is a critical part of the answer that financial services players and merchants will need to work out over the next few years as the regulations are put more firmly into place.
Navigating A Shifting Axis Point
There will always be some tension between a frictionless journey and a secure one, Neil noted. He believes the pendulum has tipped in a new direction as of the start of the 2020s, but there are limits to how far it can swing. Consumers like using Uber and jumping out of their ride without having to fuss with payments, and they like one-click shopping on Amazon and all of the other conveniences of smooth digital transactions.
“The pendulum is swinging back toward security from pure frictionless, but it won’t stay there,” Neal predicted. “There are, quite frankly, too many big players who have too much influence to make that plausible. Over and above that, (consumers) like the easy journey. They will only put up with so much friction for so long.”
The challenge going forward will lie in striking a balance between all of the players, he said – a mission that admittedly is going more slowly than surely at the moment.
But an inevitable change is coming, no matter how bumpy the road might turn out to be. In some sense, said Neal, the regulatory bodies have spoken – and the challenge for financial services players is how to start thinking differently about verifying consumers’ identities without accidentally chasing them from commerce in general.
“The regulation has made it very clear who is on the hook for this stuff,” noted Neal. “In some sense, it doesn’t matter who picks up the liability on the commercial side – the question is, who is legally liable? PSD2 puts the answer squarely with the banks and financial institutions that are charged with looking after the customer’s money.”