New User Authentication System Sets Stage for a Passwordless Future

With the longstanding 3D Secure (3DS) version 1 being readied for retirement in October 2022, financial institutions (FIs) and merchants are preparing for a streamlined authentication process more aligned with consumers’ expectations of the connected economy.

It’s a timely move. During the pandemic and resulting digital shift, card-not-present (CNP) fraud has risen apace with eCommerce growth itself, and consumers are demanding trustworthy seamless online authentication experiences that also leverage smartphone capabilities.


Trust has never been more important because online fraud has never been this bad. New PYMNTS research finds that 71% of account holders like the idea of using biometric authentication, for example.

In a recent PYMNTS podcast, Jonathan Van der Merwe, product manager, payments at Entersekt, said, “What we’re seeing from fraudsters is a laser focus especially on card-not-present fraud. That’s really seeing an uptick. Other things that we see are still major data breaches and data leaks. That’s an ongoing concern and is one of those things that’s just sort of fueling things like online CNP fraud. At the same time, we’re seeing a lot of social engineering happening, and people just being conned out of their out of their credentials.”

That hazardous fraud environment calls for more powerful forms of authentication, now taking the form of the new EMV 3DS 2.2 protocol overseen by EMVCo, the tech consortium collectively managed by American Express, Discover, JCB, Mastercard, UnionPay and Visa.

As Van der Merwe sees it, EMV 3DS 2.2 solves many of the frustrating problems consumers have learned to tolerate, while also making payments safer. 3DS 1 dates to 2001 and “only really catered to static passwords when it was designed. It didn’t take mobile devices into consideration. It didn’t take modern responsive web design into consideration,” he said.

“EMV 3DS has done away with that,” he said. “It’s built in things like modern cardholder authentication experiences [using] in-app push authentication that allows you to authenticate yourself using your banking app or your issuer’s mobile app.”

Get the study: The Passwordless Future: Decoding Consumers’ Device-Based Authentication Preferences

Bank-Grade Security, Platform Style

As passwords are traded out for biometrics, other, related tech is doing some of the lifting. Fast ID Online (FIDO) authentication is a crucial supporting technology in a passwordless future, and Entersekt added FIDO2 to its authentication suite in September.

Using the two, “your password is now your biometric fingerprint or your face ID. In the new EMV 2.3 version, there’s even support for things like a FIDO passwordless authentication, where you don’t even need an app anymore,” Van der Merwe said.

Explaining that these authentication upgrades keep friction low and security tight, he said that a primary objective of EMV 3DS is invisibility. Using EMV 3DS, transaction risk is rated as low for familiar behaviors, familiar devices and browsers, and established shopping patterns at certain merchants.

“That transaction is going to go through frictionlessly without you having to do anything … giving you that one-click payments experience, but it’s still secure. It’s still got banking grade authentication and security running in the background,” he said.

In-app authentication is another benefit of the new protocols, as is “no-app” authentication.

What van der Merwe calls the technology for a passwordless future provides “an experience where they don’t even have to have the app, where the authentication … carries bank-grade security offered through the bank but that’s using the platform or the device that you’re authenticating on.”

See also: Entersekt Adds FIDO Authentication to Security Suite

An Invisible Transition to One-Click Security

Transitioning to the new EMV 3DS 2.2 protocol must itself be easy and not put off consumers who have gotten used to outmoded ways of identifying themselves online.

The new protocol still supports one-time password authentication via text, Van der Merwe said. And, “For many people, that’s a comfortable way to transition into the new protocol, so that will remain. But as these new authentication technologies get adopted … what you’ll start to see is that authentication experience will start to move into the background, and you just won’t be authenticated as much, payments will start to just go through.”

Issuers that get up to speed quickly will be able to offer a noticeably faster, easier online shopping flow without many of the regional snags and flags 3DS 1 is stuck in.

“When you’re doing something like in-app authentication where you just get a push notification, you click into the push notification, and it gives you deep detail with a beautiful UI of the payment that you’re busy authenticating directly within your banking app.”

Even in cases where a risk score calls for stepped-up security, “you just get prompted by the merchant to put your finger down on your device or your face ID works in union with the authentication method, and that’s FIDO kicking in,” he said.

“That is an immensely smooth and frictionless experience, even though you’re being stepped up, and the grade of security and authentication that’s being performed is higher than it’s ever been before.”

See also: Instant Payments: Wonderful, Risky and Begging for Better Authentication