3D Secure is the extra layer of security placed on many online card payments, underlying systems such as MasterCard SecureCode, Verified by Visa, and American Express SecureKey.
Originally developed by Visa, the 3D Secure protocol has been widely disliked for years, recently described by media celebrating its potential downfall as “hated” and by academic researchers as “a textbook example of how not to design an authentication protocol.”
Its requirement for complex passwords and erratic behaviour patterns irritated end users, while the use of pop-ups and later iframes from third-party sites worried security experts.
Development of the new system is being jointly led by MasterCard and Visa, and promises to “utilise richer cardholder data”, opening up opportunities for all sorts of second-factor authentication options.
Exactly how it will work and what sorts of second factors may be supported remains to be finalised, but MasterCard’s news release mentions one-time passwords and fingerprints.
Using aspects of your body to identify you would make authentication processes smoother, although the wisdom of using something you cannot change is regularly questioned.
One-off passwords, coming from a code-generating dongle or app or sent to your phone as an SMS, interrupt the flow of things a little more but also provide decent security.
The problem with most of these in the past has been their reliance on additional technology. While you can carry passwords around in your head, fingerprints and heartbeats need to be read by something, and computer-generated codes need to be generated by something. You’d then need that something to hand anytime you wanted to make a payment online.
This problem is slowly being overcome by our mobile devices. The most basic cellphone can provide SMS-based codes, smartphones can handle code-generating apps easily, and higher-end models now all have inbuilt fingerprint readers, so many of these options will be available to many people much of the time.
Still, of course, there’s the issue that not everyone will be on board. Not everyone has even a “dumbphone”, and those who do don’t always have charge or signal. Not everyone would be willing to deal with one-off codes, and for now at least, only a small minority would want to wear a bio-sensing device at all times.
So the death of passwords may still be some way off. As MasterCard puts it, the system “could be adopted in 2015” and will “gradually replace” the existing model, meaning the change will take some time even if it’s adopted soon. It even says it expects “far fewer prompts for passwords”, rather than none at all.
The new model is expected to run alongside the current one, for a while at least, and adoption is likely to be led by the wealthier and more tech-savvy, who tend to be less at risk from fraud in the first place.
So, it’s unlikely that the cybercrooks will be rethinking their target list any time soon, but it’s good to see some signs of progress towards retiring an old and sloppily-implemented security paradigm.