Two-Factor Authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) are security mechanisms. Two (2FA) or multiple (MFA) methods of proving the user’s identity are required to access an account or platform. Instead of using just a single password, a second code or confirmation step is required, often using another device such as a smartphone. Additional authentication methods can take several forms: something the user knows (password), something the user has (smartphone, token) and something that the user is (biometric authentication using fingerprint or face recognition). By combining multiple authentication methods, MFA offers an increased level of security and thus protects against unauthorized access of sensitive data or resources.

MFA is also a requirement for “Strong Customer Authentication” (SCA), which is mandated by the EU’s Payments Service Directive (PSD2) and applies within the EEA and UK. MFA is mandated to increase the security of electronic payments. SCA requires two or more authentication methods.

2FA plays an important role in securing payments by providing an additional layer of security that makes it more difficult for malicious actors to access accounts or initiate fraudulent transactions. Even if an attacker gains access to the password, they still require the second factor in order to log in and initiate a payment. This makes gaining access far harder, increasing the security of payment processes, particularly online.

Furthermore, the owner of the account is directly informed that a third party has attempted to log in to their account, allowing the owner to change their password.

This increased security reduces the risk of payments fraud and chargebacks, safeguards the reputation of businesses and increases trust among consumers that their payment data is secure. Two-factor authentication can thus help minimize financial losses due to fraudulent activities and safeguard the integrity of payment systems.

Two-factor authentication for payments can use different types of authentication methods to verify the identity of the consumer and increase transaction security. Typical factors include something the customer knows (e.g. a password or PIN), something the customer has (e.g. a smartphone or smartcard) and something that the customer is (e.g. biometrics like fingerprints or face recognition). This increases security, as even if one factor is compromised, the attacker still needs to circumvent the second factor. The wide range of available methods allows merchants to customize their payment systems to meet the needs of their consumers.

Card schemes like Mastercard and Visa often use their own MFA methods to increase security. One example is Visa Secure. For each online transaction, Visa Secure verifies the identity and creditworthiness of the cardholder by establishing a secure connection between the online shop and the issuing bank. The customer is asked to enter their password to confirm their identity. This protects cardholders from fraud, while also protecting merchants by guaranteeing that they will receive payment.

Complying with requirements such as PCI DSS has a significant impact on the implementation of two-factor authentication in payment systems for merchants. PCI DSS outlines stringent security standards for processing, storing and transferring card data, in order to safeguard the security of transactions and prevent fraud. PCI DSS requires merchants to implement additional security measures like two-factor authentication. This helps merchants reduce the risks of fraud, ensure they comply with data protection regulation, increase trust among their customer base and avoid sanctions or fines imposed for non-compliance.

While two-factor authentication (2FA) is generally viewed as a very secure method of protecting accounts, it can still be compromised. Merchants should ensure that the 2FA method they are using effectively protects consumers without being a significant burden. The following measures can help reduce the risks of an account being compromised:

• Strong authentication methods: Some authentication methods like SMS codes are more easily compromised than others. More secure methods like authentication apps and physical security keys can reduce this risk, especially regarding phishing attempts.

• Active monitoring: Merchants should implement systems that monitor and identify suspicious activity, in particular regarding the authentication of customers. This could include logging authentication events and monitoring anomalies in order to identify potential attacks at an early stage.