Mastercard and Visa to kill off password authentication
Mastercard and Visa have announced plans to kill off the need for users to enter their passwords to confirm their identity
Mastercard and Visa have announced plans to ditch the need for customers to enter passwords as a means of confirming their identity.
Current systems – MasterCard SecureCode and Verified by Visa – are both based on the 3D Secure protocol, which was developed by Visa to reduce fraudulent credit and debit card transactions online.
It works by forcing people to enter a password into a pop-up window, so that the card issuer can confirm their identity before the transaction completes.
Retailers have been encouraged to adopt the protocol as it reduces the number of fraudulent chargebacks – money returned to the consumer from the retailer due to a fraudulent card transaction.
However, it is unpopular with online shoppers, because it requires them to use complex passwords that are easy to forget, and it can be difficult to tell whether the pop-ups themselves are legitimate or fraudulent.
Passwords are also inherently vulnerable, as they are repeatedly used for authentication and can often be discovered via social media or other means, rendering the consumer subject to fraudulent transactions.
Mastercard and Visa’s new ‘invisible’ authentication system, called 3D Secure 2.0, aims to tackle some of these issues by reducing the reliance on passwords as a means of verifying identity.
In the event that authentication is needed, cardholders will be able to identify themselves with the likes of one-time passwords or fingerprint biometrics, rather than committing static passwords to memory.
Mastercard is also piloting commercial tests for facial and voice recognition apps to authenticate cardholders, and conducting trials of a wristband which authenticates a cardholder through their unique cardiac rhythm.
“All of us want a payment experience that is safe as well as simple, not one or the other,” said Ajay Bhalla, president of enterprise security solutions at MasterCard.
“We want to identify people for who they are, not what they remember. We have too many passwords to remember and this is creates extra problems for consumers and businesses.”
The new 3D Secure 2.0 protocol could be adopted in 2015 and it is hoped that it will gradually replace the current 3D Secure protocol.
Commenting on the news, Marta Janus, security researcher at Kaspersky Lab, said that – if implemented properly – the new protocol will not only be more convenient for users, but also much more secure.
“It’s pretty well known that passwords are severely flawed: weak ones are easy to remember and easy to guess; strong ones are hard to guess, but hard to remember,” she said.
“One time passwords are already widely used and considered much safer than traditional ‘fixed’ passwords … combined with biometric checks, this will certainly make a strong alternative to any existing authentication method.”