How frictionless authentication works in online payments

How frictionless authentication works

Under the 3DS2 security protocol's risk-based authentication model, if the system determines a transaction to be low risk, it authenticates the payment without requiring further action from the user.

If a transaction's risk level rises above a certain threshold, however, the retailer's website requires the customer to complete additional authentication methods, such as providing a one-time password (OTP) sent via text message or approving the payment through a banking app push notification.

Frictionless authentication relies heavily on AI and machine learning to accurately gauge the risk of each transaction in real time. These calculations happen based on a variety of factors, including device fingerprint, user behavior and transaction information.

In the frictionless model, only relatively high-risk transactions are subject to additional authentication challenges.

Device fingerprint

Frictionless authentication software collects information about users' devices, such as OS versions, browser versions, IP addresses and installed hardware. The technology can then use this information to identify suspicious or unusual behavior.

For example, while users making purchases from their home IP addresses might be allowed to complete single-click transactions, a user attempting to make a purchase from another country would likely need to participate in additional authentication challenges.

User behavior

With AI and machine learning, frictionless authentication programs can establish an individual user's unique behavioral patterns, such as mouse movements, typing speed and other characteristics. This information, in tandem with device data, forms a unique digital fingerprint that can serve as an invisible authentication factor.

Frictionless authentication also looks at behavioral context. For example, is a user browsing from a typical location at a usual time of day? If not, the system can choose to require the user to complete additional authentication steps, such as providing an OTP or approving a push notification.

Transaction information

Frictionless authentication systems often consider transaction records to determine relative risk. For example, an existing user with a clean payment history is inherently less risky than a new, unfamiliar user.

The characteristics of an individual transaction, such as total transaction value, shipping address and types of items purchased, also inform risk levels. The system can consider these factors, together with user behavior and device patterns, to decide whether to automatically process a payment or require further authentication.

Benefits of frictionless authentication in online payments

The most important benefit of frictionless authentication is a user-friendly checkout process and a better, more seamless customer authentication experience.

Better UX creates a competitive advantage, as the customer is more likely to complete purchases and return in the future if a payment process is smooth and efficient.

A frictionless, secure authentication process also has fraud prevention benefits because it identifies and blocks risky and potentially criminal transactions.

Challenges of frictionless authentication in online payments

Implementing frictionless flow authentication technology and integrating it with existing systems can prove technically complex.

It also incurs additional costs, both in terms of implementation and authentication provider fees.

Finally, if the system incorrectly identifies a legitimate transaction as risky or fraudulent, it could create undue friction and frustration. If the user is unwilling or unable to complete additional authentication challenges, this could result in a lost transaction and a lost customer.

Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.

Alissa Irei is senior site editor of TechTarget Security.