Instant Payments: Wonderful, Risky and Begging for Better Authentication

Though there has been tremendous growth in the digital and mobile banking ecosystem over the last 18 months, the same cannot be said for the expected advancement beyond passwords, which are as common today as ever.

According to Gerhard Oosthuizen, chief technology officer of global strong authentication FinTech Entersekt, there are signs — and a pressing need — that the days of these first-generation forms of digital ID are numbered.

“We’re starting to see more and more businesses explore how to eliminate passwords by utilizing device-based biometrics combined with a strong possession factor,” Oosthuizen told PYMNTS. Hopefully, passwords become like a “rotary phone” very quickly.

The good news, he said, is that when it comes to providing customers with the best, most secure digital experience, new digitally-native startups have the advantage of a clean slate, which gives them the opportunity to build the needed infrastructure from the start, compared to more established peers.

“Many of the older systems have not been built with that level of security protection in place,” he said, noting the unique fraud risks presented by instant payments like ACH, wire payments, direct deposits and essentially anything that involves “moving money immediately and irrevocably.”

A Future Without Passwords

In addition to using biometrics, Oosthuizen said new standards like Web Authentication API (WebAuthn) can help reinforce security, enabling strong authentication across platforms without passwords.

The web-based API enables FIDO’s (Fast Identity Online) set of specifications to be used in browsers without requiring users to install an application and allows registration and authentication using public key cryptography instead of a password.

WebAuthn is currently supported on Chrome, Firefox, Safari and Edge, and the fact that the companies that control the three major operating systems — Google, Microsoft and Apple — have all signed up in the last few years is “brilliant,” said Oosthuizen, who joined Entersekt as CIO in 2013.

The fact that the ecosystem is not just limited to Apps, and now includes browsers on PC’s and mobile devices, means non-app-based consumers can also have a more secure login experience using biometrics.

“Whether you’re on a Windows machine, on a Mac, on an iPhone, or on an Android, you can benefit from your OS’s built in security, enabling Apple’s Touch ID, your fingerprint sensor or Windows Hello to log in. And that means we’re able to get to a place where I can create an account and never even have to ask you your password. It’s possible.”

Potential for Non-Mobile Digital Payments Solutions

There is a global market potential for non-mobile digital payments solutions given the significant number of people who don’t trust digital devices and refuse to use a mobile phone.

It’s the reason why Entersekt recently partnered with PLUSCARD and Netcetera to launch the first FIDO-certified alternative to app-based authentication in Europe to secure online credit card payments without using a mobile device.

He said the rolling out of the enhanced 3DS protocol (EMV 3-D Secure) is an exciting time in the payments environment; “is the first time this technology has been used to to secure a card payment from within a browser,” giving consumers shopping on a merchant’s site different options for authentication — either using their biometric information, an external hardware device like a FIDO security key or from a trusted browser on a PC.

“No more OTPs, no more having to use a secondary device or some other mechanism like a static password or a knowledge-based authentication,” he noted.

At the end of the conversation, Oosthuizen said he’s excited about the potential to create convergence and reach a point where it doesn’t matter what you do with your bank or how and where you decide to use the funds you have at your bank — there will always be a consistent way for you to protect that interaction.

He is also big on giving consumers the power to own their own decisions: “If it is indeed the person that wants to do that transaction, they feel in control to make the decision and they know that their bank values their security and gives them the option to participate in that decision.”