In what amounts to eliminating password use and evolving the Verified by Visa and SecureCode online authentication processes, MasterCard says a new security protocol it is developing with Visa could be implemented next year.
MasterCard has been working on a system using richer cardholder data to eliminate static passwords in e-commerce for nearly two years. In the event an authentication challenge is needed, cardholders will be able to identify themselves through one-time passwords or fingerprint biometrics rather than committing static passwords to memory, MasterCard said in a Nov. 13 press release from its London office.
All of us want a payment experience that is safe as well as simple, not one or the other," Ajay Bhalla, president of enterprise security solutions for MasterCard, said in the release. "We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.
3D Secure, the password-based system used in Verified by Visa and SecureCode, came under fire during its inception more than a decade ago because of the various steps consumers had to take to initiate an e-commerce transaction. But recent improvements in the system had resolved some of those issues.
As part of its ongoing security development process, MasterCard said it would test facial and voice recognition applications as well as a wristband that can authenticate cardholders through their unique cardiac rhythm.
The collaboration between MasterCard and Visa to expand authentication "has been in the works for a while" and working its way through MasterCard's rules-making process, said Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
Making 3D Secure and other standards stronger "recognizes that the useful days of username/password as an authenticator are far behind us," Conroy said.
Over the past year, many issuers have added risk-based authentication to their e-commerce security screening, resulting in only 1% to 2% of transactions "that will actually get a stepped-up prompt" asking for more authentication, Conroy said.