Getty Images/iStockphoto

Tip

How frictionless authentication works in online payments

Online retailers face a challenge: Make the payment process quick and easy for legitimate customers but not for fraudsters. Frictionless authentication can help.

Frictionless authentication is a risk-based approach to online payment processing that aims to streamline verification of legitimate customers' identities, while detecting and preventing fraudulent transactions in real time. The goal is to improve UX and maintain strong security.

Traditional, high-friction authentication methods require e-commerce customers to take extra steps to prove they are who they say they are. That might mean signing into a merchant's website with a unique username and password or biometric authentication, participating in MFA security measures or manually entering credit card information for each transaction.

In contrast, frictionless authentication for online payments -- commonly deployed through the 3D Secure 2.0 (3DS2) security protocol -- happens largely in the background and is often invisible to the user. In the frictionless model, only relatively high-risk transactions are subject to additional authentication challenges.

How frictionless authentication works

Under the 3DS2 security protocol's risk-based authentication model, if the system determines a transaction to be low risk, it authenticates the payment without requiring further action from the user.

If a transaction's risk level rises above a certain threshold, however, the retailer's website requires the customer to complete additional authentication methods, such as providing a one-time password (OTP) sent via text message or approving the payment through a banking app push notification.

Frictionless authentication relies heavily on AI and machine learning to accurately gauge the risk of each transaction in real time. These calculations happen based on a variety of factors, including device fingerprint, user behavior and transaction information.

In the frictionless model, only relatively high-risk transactions are subject to additional authentication challenges.

Device fingerprint

Frictionless authentication software collects information about users' devices, such as OS versions, browser versions, IP addresses and installed hardware. The technology can then use this information to identify suspicious or unusual behavior.

For example, while users making purchases from their home IP addresses might be allowed to complete single-click transactions, a user attempting to make a purchase from another country would likely need to participate in additional authentication challenges.

User behavior

With AI and machine learning, frictionless authentication programs can establish an individual user's unique behavioral patterns, such as mouse movements, typing speed and other characteristics. This information, in tandem with device data, forms a unique digital fingerprint that can serve as an invisible authentication factor.

Frictionless authentication also looks at behavioral context. For example, is a user browsing from a typical location at a usual time of day? If not, the system can choose to require the user to complete additional authentication steps, such as providing an OTP or approving a push notification.

Transaction information

Frictionless authentication systems often consider transaction records to determine relative risk. For example, an existing user with a clean payment history is inherently less risky than a new, unfamiliar user.

The characteristics of an individual transaction, such as total transaction value, shipping address and types of items purchased, also inform risk levels. The system can consider these factors, together with user behavior and device patterns, to decide whether to automatically process a payment or require further authentication.

Chart showing frictionless flow process in adaptive MFA
Also known as adaptive MFA, a risk-based MFA process involves dynamically assessing a user's risk level and tailoring authentication requirements accordingly.

Benefits of frictionless authentication in online payments

The most important benefit of frictionless authentication is a user-friendly checkout process and a better, more seamless customer authentication experience.

Better UX creates a competitive advantage, as the customer is more likely to complete purchases and return in the future if a payment process is smooth and efficient.

A frictionless, secure authentication process also has fraud prevention benefits because it identifies and blocks risky and potentially criminal transactions.

Challenges of frictionless authentication in online payments

Implementing frictionless flow authentication technology and integrating it with existing systems can prove technically complex.

It also incurs additional costs, both in terms of implementation and authentication provider fees.

Finally, if the system incorrectly identifies a legitimate transaction as risky or fraudulent, it could create undue friction and frustration. If the user is unwilling or unable to complete additional authentication challenges, this could result in a lost transaction and a lost customer.

Rob Shapland is an ethical hacker specializing in cloud security, social engineering and delivering cybersecurity training to companies worldwide.

Alissa Irei is senior site editor of TechTarget Security.

Dig Deeper on Identity and access management