3DS Authentication: The Right Balance Between Security and UX

In a world that seems ever more risky - with digital scam artists everywhere you look, and ransomware in seemingly every other news report - making security as impenetrable as possible is at the top of many merchants’ to-do lists. Given that this is a benefit for merchants and consumers alike, this is an admirable intention; but the reality for many security programs, 3D Secure included, is that poor implementation can result in a negative customer experience, potentially reducing the merchant’s revenue potential and spoiling the customer’s day. It is critical, therefore, to get the balance right.

What is 3D Secure Authentication?

3D Secure authentication, also known as 3DS, is an extra layer of security injected into card-not-present transactions to help protect against scammers and digital criminals. As its name suggests, it uses a third domain in the payment process to act as an additional check that the payment is properly authenticated: essentially, even after the user has entered the correct cardholder information, and the payment system has completed its initial security checks, the consumer then enters a secret password into a third location, usually either a popup of an extra iframe on the payment page. This design, of course, could deliver a user experience that was both unfamiliar and, in some cases, intimidating and suspicious: introducing an additional step was clunky and peculiar, and, in the early years, a significant decelerator in transaction completion.

What is User Experience and Why Does it Matter?

User experience is how we describe the steps a user goes through to achieve a particular goal. For instance, the user experience of using an app like, say, Venmo, to send money is

• Open app
• Enter the handle, or scan the QR, of the person
• Verify that that is the right person
• Enter the amount you want to send, and specify whether it is for business or personal purposes
• Confirm (or enter a new) bank account from which to send the funds
• Swipe to send

Creating such a smooth experience, intuitive for regular and irregular app users, takes hours of research, design, coding, testing, and re-coding. Eliminating unnecessary steps while simplifying necessary ones is one of the key predictors of success for apps that aim to serve a broad public.

By contrast, poor user experience will not only irritate the user, it will actively serve to reduce the success potential for the app or system. One of the reasons that Amazon took off in its earlier years, for instance, was the addition of the one-click purchase process (in which the company, unlikely others, was able to use a stored credit card to close a transaction immediately), an innovation so meaningful and powerful that the company was able to patent it and force other businesses to pay licensing fees until 2017.

How is User Experience Damaged by 3D Secure Authentication?

The challenge with 3DS from the beginning was marred by the low-design implementation: consumers would be redirected to a basically empty screen, showing the card network logo and a couple fields to enter a user name and password. Worse, if they hadn’t already signed up for 3DS, there was a link to take them to a registration process - which felt like a risky thing to do in a window the customer didn’t even recognize. As a result, a variety of studies suggested that over 20% of all transactions that went through 3DS failed.

Over time, of course, consumers became accustomed to 3DS - everyone, by some point, had registered, and also recognized the interstitial pages, reducing at least the psychological friction. Nonetheless, knowing that every additional step negatively impacts transaction success, its presence can be a drag on sales if merchants don’t design around it.

3DS 2.0 Improves User Experience While Maintaining Security

It’s no surprise to find that 3DS has a pretty bad name in the merchant community, given the damage it did to revenues in its first few years - and it is therefore hardly a shock that the announcement of a new generation, 3DS 2.0, has not been met with thundering applause.

However, the best way to strike a balance between security and the user experience is to pay very close attention to the details of 3DS 2.0, which has thrown aside some of the clunky elements of its first-generation ancestor, and offers modern options like

• Using biometrics instead of passwords - so you can use the same thumbprint you use to unlock your computer at the beginning of the day instead of having to remember and accurately type in a complex password
• Risk-based authentication - basically, instead of using the sledgehammer of checking everything over a particular size or from a particular vendor, 3DS 2.0 can be invoked (or not) by the issuing bank based on their own risk evaluation
• Mobile compatibility - recognizing that business happens more o n small screens than ever before, 3DS 2.0 allows a native experience that avoids opening new browser windows in favor of using standard interfaces to, for instance, use FaceID or similar to validate the consumer’s identity

The best way to strike the balance between security and user experience, then, is to commit to the 3DS 2.0 experience.

The Right Environment for 3DS 2.0

Not all payment service providers (PSPs) implement 3DS 2.0 the same way, and some don’t offer it at all, so it’s important to ensure that your PSP offers the right service. This is also a great reminder to review your payment system for resilience and flexibility: using a single payment provider introduces risk above and beyond what 3DS can help with, as that one partner represents a single point of failure. And, indeed, the 3DS 2.0 situation is a reminder that there will inevitably be a 3DS 3.0 at some point, so the ability to flex, rearrange, and reconfigure your payment partners is vital.

Just as merchants are upgrading to 3DS 2.0, so they are upgrading to programmable payment vaults, such as the one offered by Basis Theory, to put flexibility into their payment processes, while keeping the majority of their systems outside of expensive PCI-DSS scope. With a token vault, cardholder data is protected in motion and at rest, and can be submitted to the merchant’s preferred payment partner at will - empowering the merchant to access the best of 3DS 2.0 without suffering the lockin of a full-service PSP.