Online shops fear 2FA at checkout will increase abandoned carts

You’re sitting at your computer when it occurs to you that you really need to buy more tube socks, so you click yourself on over to and fill your cart full of socks.

But wait, what’s this? You’re being asked for another sign of authentication before you can check out? Why, that means you have to get up! You need to go get your phone for that one-time PIN! And that darn phone is all the way over there! Well, just forget it, you say, and yet another abandoned cart gets added to the heaps of can’t-be-bothered purchase exhaustion that’s (reportedly) the stuff of online merchant nightmares.

Well, that’s the dystopian, dys-profitable e-commerce future envisioned by Stripe, at any rate. Stripe, maker of online payment technology, recently commissioned research from 451 Research. Based on input from 500 businesses and 1,000 consumers, 451 Research concluded that the EU’s online economy risks losing €57 billion (US $64.6 billion) when Strong Customer Authentication (SCA) goes into effect on 14 September 2019 and ushers what will potentially be forget-the-socks-inducing friction into the checkout process.

SCA is all about protecting consumers by clamping down on fraud. One of the new requirements of the second Payment Services Directive (PSD2) that was passed by the EU in November 2015, it involves introducing additional authentication into online checkout. That can be as simple as a one-time PIN code generated by, say, a text message, by a code generator with an authenticator app such as Sophos Authenticator, or it could be fingerprint confirmation on those devices that support it.

Here’s the definition of SCA from the current guidelines published by the European Banking Authority (EBA), the EU body tasked with supervising and regulating the banking sector:

Strong customer authentication is, for the purpose of these guidelines, a procedure based on the use of two or more of the following elements – categorised as knowledge, ownership and inherence: i) something only the user knows, e.g. static password, code, personal identification number; ii) something only the user possesses, e.g. token, smart card, mobile phone; iii) something the user is, e.g. biometric characteristic, such as a fingerprint. In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s).

At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.

Reducing the security of online payments is a laudable goal, the 451 Research report agreed, but yikes, we’re going to be looking at a lot of transactions declined by banks:

While these objectives are laudable, SCA brings with it deep consequences for the customer experience and a far-reaching impact on Europe’s online economy. Online businesses that fail to abide by these requirements to build additional authentication into their checkout flow will see a dramatic drop in approvals as banks become obligated to decline their transactions outright.

We heartily support SCA

This will come as no shocker: at Naked Security, we believe that anything that makes fraud harder is to be applauded.

“The best way to approach this whole issue is for us all to agree to ditch the word ‘frictionlessness’ from our cybersecurity jargon,” said our very own Paul Ducklin…

I’m not suggesting that we make online spending so hard that no one wants to do it, but if €57 billion of turnover really does pivot on keeping online payments stripped back to a single, effortless click, then we’re softening up a whole generation of young computer users to the idea that cybersecurity is ‘someone else’s problem’ to be solved entirely behind the scenes. We’d do better to embrace an online world where the motto ‘Stop. Think. Connect’ is the one we live by.

If you’d like to learn more about two-factor authentication (2FA), we’ve got you covered. Read on!

Learn more about two-factor authentication

(Audio player above not working? Download or listen on Soundcloud.)