As part of its ongoing collaboration with the FIDO Alliance, EMVCo has recently published a whitepaper that outlines how the use of FIDO Authentication Data in 3DS messages can streamline e-commerce checkout while reducing friction for consumers. In this Q&A post, EMVCo Director of Technology, Bastien Latge, provides insights into this new resource and how EMVCo and FIDO are working together to provide simpler and stronger authentication for cardholders.
What is the focus of the ‘Use of FIDO Data in 3DS Messages’ white paper?
Bastien Latge: The EMV® 3DS Specification promotes secure, consistent consumer e-commerce transactions across browser and in-app channels, while optimising the cardholder’s experience. It includes support for the FIDO Authentication protocol, and specifically for data elements to promote communication of pre-checkout authentication events and associated data as part of the EMV 3DS transaction from systems such as those supporting the FIDO Alliance standards.
The white paper provides guidance to merchants and card issuers on how FIDO Authentication data can be used to attest, provide evidence, that merchant-initiated strong consumer authentication has taken place prior to an EMV 3DS flow to authenticate. This can reduce the need for issuers to authenticate cardholders for every transaction when shopping online and streamline processes for merchants, consumers and card issuers.
Can you briefly explain the role of FIDO authentication data in an EMV 3DS transaction?
Bastien Latge: In many e-commerce purchases, the user journey begins with a merchant-initiated authentication. This could be for a user login (user identification) or at the time of initiating check-out for an e-commerce transaction.
When merchants use strong authentication methods such as FIDO Authentication, the data or details regarding the authentication can be valuable to the issuer performing authentication of a cardholder using an EMV 3DS flow.
What value does the paper bring to the payments industry?
Bastien Latge: The paper provides important information on how FIDO Authentication Data can be used to attest that merchant-initiated strong consumer authentication has taken place prior to an EMV 3DS transaction, which can improve approval rates for e-commerce merchants, reduce friction for consumers and enhance the user experience.
Using FIDO authentication data, merchants can deliver a structured set of data elements and present the card issuer with a consistent set of values for the same user or device (along with other data they would receive as part of an EMV 3DS flow), thereby reducing the need for repeated consumer authentication and increasing the probability of a frictionless experience for cardholders.
What was the driver for developing this white paper?
Bastien Latge: We see a strong desire from the payments industry to better understand how EMVCo’s Specifications align with and complement the work of bodies such as FIDO Alliance. Specifically, this white paper was developed to address the need for guidance on how FIDO Authentication data can be used by issuers to analyse merchant-initiated FIDO Authentication as part of their risk evaluations.
In addition to this whitepaper, how is EMVCo working with the FIDO Alliance, and what is the objective of this collaboration?
Bastien Latge: EMVCo and the FIDO Alliance began working together in 2016 with the goal of providing simpler and stronger authentication for cardholders making mobile payments using on-device authenticators, such as biometrics, thereby reducing consumer fraud globally while maintaining a good consumer experience.
The initiative enabled us to effectively combine EMVCo’s payment industry knowledge with FIDO Alliance’s authentication expertise to support cardholder verification methods that are convenient for the user, sustainable for the industry and most importantly, highly secure, thereby reducing consumer fraud in the mobile payment space.
We expanded the collaboration in 2018 to define how EMV 3DS messages may be used to pass FIDO authenticator attestation data and signatures in a manner that is both scalable and interoperable across the EMV payments ecosystem.
The ‘Use of FIDO Data in 3DS messages’ white paper is the first of a number of use cases that EMVCo and FIDO Alliance have evaluated for collaboration opportunities. Looking to the future, additional future use cases will include receiving additional data from FIDO authentications that issuers could cryptographically verify, using FIDO Authentication as an EMV 3DS challenge method.
A complementary technical note from the FIDO Alliance, “FIDO Authentication and EMV 3-D Secure: Using FIDO for Payment Authentication” can be found on the FIDO Alliance website.