The payment card company MasterCard has proposed authentication of online payments beyond passwords.
MasterCard says that its approach is to use richer cardholder data, which will result in far fewer password interruptions at the point of sale. In the event that an authentication challenge is needed, cardholders will be able to identify themselves with the likes of one-time passwords, or fingerprint biometrics, rather than committing static passwords to memory.
Ajay Bhalla, President of Enterprise Security Solutions, MasterCard said: “All of us want a payment experience that is safe as well as simple, not one or the other. We want to identify people for who they are, not what they remember. We have too many passwords to remember and this creates extra problems for consumers and businesses.”
A new protocol, being co-created with Visa, could be adopted in 2015 which would gradually replace the 3D Secure protocol.
The company points to an industry estimate that by 2018, payments on mobile devices are expected to represent 30pc of all online retail sales. The payment firms say that the new standard will move security infrastructure beyond the PC era. Other work by MasterCard to go ppassword-free include:
evolving its SecureCode to support the new standard
piloting commercial tests for facial and voice recognition apps to authenticate card holders; and
trials of a wristband which authenticates a cardholder through their unique cardiac rhythm.
Comments
Phil Turner, VP EMEA, Okta, said: “Between their work and personal accounts, consumers have a lot of user names and passwords to remember, each of which has different password requirements and expiration cycles. Add this to the hassle caused by constant password resets and remembering secret questions and it’s clear consumers need a way to make this process easier. The move to abolish passwords will no doubt be welcomed by customers. Today we have so many passwords to remember. As a result, most of us suffer from “password fatigue” where we use obvious or reused passwords often written down on Post-it notes or saved in Excel files on laptops.
“We’ve reached a point where user names and passwords alone are no longer good enough. We’ve long had single sign-on technologies to remove the complexity of remembering multiple passwords, but what if someone else gets a hold of that single user name and password? Not surprisingly, multi-factor authentication– which requires two or more factors to verify legitimacy of the user – has taken off and evolved pretty substantially in the past decade and we’re now seeing authentication methods becoming as personalised and specific to the individual as the experiences they’re trying to access.”
And Marta Janus, security researcher at Kaspersky Lab, said: “It’s pretty well known that passwords are severely flawed: weak ones are easy to remember and easy to guess; strong ones are hard to guess, but hard to remember. So the move from Mastercard and Visa is definitely an interesting one.
“It’s a really good approach and, if implemented properly, the new protocol will not only be way more convenient for users, but also much more secure. One time passwords are already widely used and considered much safer than traditional “fixed” passwords, even if it’s still possible for cybercriminals to obtain and use them. But, combined with biometric checks, this will certainly make a strong alternative to any existing authentication method.”
