Authentication in the payments space is continuously evolving.
But one constant is that any innovation needs to strike a winning balance between enhancing security and improving user experience.
“Identity theft, phishing and data breaches have all become more prevalent. So, more robust authentication has become crucial to ensuring that the person is the right person involved in a transaction, that they are who they claim to be,” Mike Storiale, vice president of innovation development at Synchrony, told PYMNTS for the series “What’s Next in Payments: Authentication: What’s New and What’s Next?”
Traditionally, payment authentication has revolved around three tenets: something the user knows (passwords), something the user has (cards or phones), and something the user is (biometrics like fingerprints or facial recognition).
However, the landscape is changing rapidly, with multifactor authentication gaining prevalence, and the benefits of modern approaches, including biometrics and tokenization, increasingly contrast favorably against more traditional, probabilistic methods like card and phone verification.
“There’s been a lot of advancements in technology,” Storiale said. “We are trying to get to a point where we know the customer more deterministically as they move through their payment journeys. Customers expect personalization. They expect that we know them. And with fraud as an ever-present threat, we’ve got to get better at knowing who the customer is to avoid false positives and combat fraud at the exact same time. It’s a delicate balance.”
Staying ahead of these trends requires a proactive approach, including ongoing investment in cybersecurity, collaboration with industry partners and staying informed about regulatory changes.
Read also: Anti-Fraud Measures Need to Work at the Speed of Instant Payments
Striking the right balance between convenience and security is of paramount importance and lies at the core of payment authentication’s ongoing advances.
But transactions vary, and what is the appropriate authentication solution for one occasion may not be the best fit for another.
“A username and password are something that consumers understand,” Storiale said. “They’re looking for fast, seamless options. So, we’re always trying to find this balance between speed and effectiveness. And honestly, adoption of some new methods is difficult simply because it requires education.”
Despite the need for robust authentication, passwords still play a significant role as a security tool, he said.
Still, just as QR codes gained popularity and broke through a longstanding adoption ceiling during the pandemic with education, Storiale gave passkeys as an example of an authentication method whose adoption could benefit from a critical mass of education across the end-user space.
What matters most when it comes to authentication innovation is, as it always has been, striking the most effective balance between security, which often entails friction, and convenience, which often means speed but brings risk.
“Ten years ago, I would’ve said frictionless is the way to go,” Storiale said. “And yet, in my role in innovation development, we test products a lot, and we learned years ago that friction can have a real benefit for consumers.”
In certain instances — like sending a high-value transaction — consumers and businesses might not feel comfortable without some element of authentication, he said.
“We need to be intentional when friction is used,” he said. “… This goes back to being more deterministic with who a user is. We want to make sure we have pieces of the puzzle and that we’re stepping up at the appropriate times for the appropriate transactions and not becoming overbearing.”
Biometrics, such as fingerprints and facial recognition, can be valuable tools in identifying users seamlessly. Storiale emphasized that no single technology can address all risks and fraud in payments.
“Most consumers don’t use just a single device every single day,” he said.
Instead, multiple factors, including biometrics, need to be considered to form a complete picture of risk. The challenge lies in whether consumers will adopt cross-brand solutions that require storing data, considering the growing concerns about data privacy.
“The industry is on a journey to passwordless, but that’s certainly not going to mean authentication-less,” said Storiale. “Balancing convenience and security are going to lead to a hybrid approach. The uniqueness is that we might start to see things where less critical tasks are going to be passwordless.”
By being intentional with friction and step-up methods, the industry can provide a seamless yet secure authentication process that meets the needs of both users and service providers.
“It’s about finding the balance based on the specific security requirements of each and every use case, and the personalization each customer expects,” Storiale said.