Due to recent advancements in identity management, multifactor authentication (MFA) can facilitate mobile payments without compromising security. Version 4.0 of the Payment Card Industry Data Security Standard (PCI DSS), which included MFA as a crucial criterion, was released by the PCI Security Standards Council (PCI SSC) in March 2022. The FIDO Alliance improved its standard that month, making MFA less cumbersome in stores and online.
The flexible architecture and interpretive debates that influence next-generation commerce excite me as a journalist covering the payments sector. Security leaders discussed MFA from the standpoints of compliance and deployment in recent interviews. The notion that MFA may improve the customer experience with the appropriate framing and implementation is a major lesson from these discussions.
Changing to MFA
Supporters of PCIDSS v4.0 were praised by Emma Sutcliffe, senior vice president and standards officer at the PCI SSC, for their ideas and comments. She said that North America, Canada, Central America, Europe, and Asia Pacific were represented among the contributors, which also included retailers, banking institutions, acquiring organisations, service providers, and vendors.
Sutcliffe said MFA was by far the most popular topic covered during the Council’s Request for Comment (RFC) phase. According to her, comments on PCI DSS Requirement 8—which addresses multifactor authentication, passwords, and authentication systems—were the most numerous. These comments asked questions about everything from MFA implementation to password best practises to how the requirement for authentication compared to other reliable industry standards.
PCI DSS v4.0 makes MFA a requirement for anyone accessing the cardholder data environment (CDE), Sutcliffe explained, whether it’s servers, firewalls and networking gear. However, companies have two years to implement the new standard, she added, noting that existing PCI DSS v3.2.1, is mature and robust enough to protect them during that lengthy transition.
Making MFA less tense
The largest problems with authentication, according to security professionals, arise when users switch between different devices, browsers, or platforms. The FIDO Alliance addressed this problem in March 2022 by improving the WebAuthn protocol and introducing a multidevice credential that could be used to authenticate users across various devices and browsers. The improvements were presented as phishing-resistant substitutes for password-based authentication in a white paper from March 2022 titled “How FIDO Covers a Wide Range of Use Cases.”
However, when considering FIDO, use cases that are at a lesser degree of security (such as password-only and phishable two-factor deployments) currently confront the conventional security-versus-usability trade-off: The user must adopt a specific purpose authentication device (security keys) in order for FIDO to provide improved security, according to FIDO researchers. Because of this, “many dependent parties maintain a password-only mode for their users, or at most, provide phishable second factors.”
In order to better support authenticator implementations, particularly for platform authenticators that sync FIDO credentials across user devices, researchers mentioned the proposed improvements to WebAuthn that turn a user’s smartphone into a roaming authenticator. They asserted that this low-cost authentication technique is as common as passwords while being safer.
Global MFA deployment
The “Authenticate: The FIDO Fit in Commerce” virtual summit, which took place in the US and Europe on March 30 and 31, 2022, saw the publishing of the FIDO Alliance white paper. I spoke with Manish Gupta, director of Starbucks’ global cybersecurity services, and Tola Dalton, director of eBay’s identity software development, during the event to get their opinions on passwordless authentication.
Gupta emphasised Starbucks’ dedication to developing user-friendly and secure identity solutions. In order to advance towards Zero Trust maturity, he said, “I’m driving adoption and implementation of passwordless solutions at Starbucks and behavioural authentication solutions.” We see these advances in authentication as significant labour savings for both our staff and customers.
Dalton noted that eBay was one of the first significant e-commerce companies to make WebAuthn available to millions of users as well as an early adopter of biometric authentication in its native app. We have a sizable, established user base and are in the middle of our passwordless journey, he said. And I’m fervently committed to promoting our password-free vision and reaching what I perceive to be a watershed moment for authentication in the industry.
One Tiny Step
As multifactor authentication becomes more smooth, agile, and intuitive, Gupta and Dalton concurred that authentication as a distinct phase is fading.
In Gupta’s opinion, merging authentication and payment into a single cognitive step is a step in the right direction, but getting there will need multinational corporations to deal with diverse cultural norms, geographic differences, and legal frameworks. He pointed out that due to consumer privacy concerns, biometric legislation even within the United States vary from state to state. So once more, he added, “it’s not a [once-and-done].” Regulations vary, therefore you must always be up to date.
Dalton agreed that the need for authentication as a separate step should be eliminated. He continued, “This is a theme I’ve heard from another colleague who stated if we’re doing our job with identification, we [need to] get out of the user’s way. “Make it simple and intuitive, and persuade the consumer that this is indeed an easy login technique, if you want strong, passwordless authentication.”
With PCI compliance likely requiring multifactor authentication, improved MFA strategies will reduce risk, encourage consumer uptake, and streamline worldwide installations, benefiting the whole commerce value chain.
Dale S. Laszig, managing director, DSL Direct, is a payments industry journalist and content strategist. Follow her on LinkedIn at https://www.linkedin.com/in/dalelaszig/ and https://twitter.com/DSLdirect on Twitter.