About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion



  • Add to
Technorati Favorites


  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« Mobile eye-D | Main | Children and identity theft »

Authentication in 3D

By Dave Birch posted Nov 14 2008 at 2:04 PM
[Dave Birch] Over on Digital Money there's been some discussion about the current state of, and future of, the 3D Secure (3DS) authentication schemes used by Visa and MasterCard to add security to online transactions (under the brand names Verified by Visa and SecureCode). One the problems with the deployment of these services was that customers didn't really understand the technology and were confused by the sign-up and usage processes. Now the schemes have responded with a raft of efforts to make 3DS more effective.

The research highlighted that consumers wanted to be certain that Verified by Visa was part of the purchase process. A key feature of the new user interface is that the consumer does not leave the merchant site during the identity checking process; instead the Verified by Visa authentication window appears as an overlay on top of the merchant page.

[From Verified by Visa Europe upgraded to improve cardholder experience]

MasterCard has also come up with a way to make 3DS more palatable to consumers and merchants alike.

To date, all e-commerce purchases on Maestro cards leverage MasterCard® SecureCode™ authentication to ensure the highest security for payment card transactions. The Maestro Advance Registration Program™ enables select online merchants to accept Maestro cards for e-commerce transactions by using SecureCode™ to enroll the customer during the first transaction. Subsequent purchases the same customer makes at the merchant web site using the same Maestro account can now be processed without MasterCard SecureCode authentication, making repeat buying both convenient and fast.

[From MasterCard Unlocks Maestro Debit Card Acceptance on the Internet with Maestro Advance Registration Program | MasterCard®]

I'm interested in these efforts because if banks found a way to make 3D Secure authentication effective, painless and ubiquitous then it would make sense for other organisations to pay the banks to provide that authentication services to them, rather than build their own versions. In these circumstances I could well imagine using my Barclays thingy (a.k.a. PINsentry) and debit card to log in to do my taxes or whatever.

I have some sympathy with the view that it is better to go with the grain. If the banks come up with a convenient and simple authentication solution, then it will find its own path into the marketplace.

If banks truly cared about offering the right solutions to the problem, they wouldn't have to make solutions mandatory.

[From MANDATORY Verified by VISA and UCAF SPA]

One of the more interesting ways of leveraging 3DS might be to integrate it into some other, Internet-based, authentication scheme. A good candidate might be OpenID. Now, as previously discussed, OpenID needs strong authentication to be useful for business. 3DS could provide a mass market 2FA addition to OpenID, A direction that might be explored is what you might called "4D Secure", or 4DS: instead of using bank authentication to log in to something, use bank authentication to log in to an OpenID provider and then use OpenID to log in to things. This has the advantage that service providers site could implement open source standard OpenID solutions rather than interface with 3D Secure. So I go to log in to Tesco using OpenID, I do an OpenID log in using my Barclays credit card and USB contactless interface (my Barclays credit card has PayPass) and off I go. A few minutes later, I log in to The Daily Telegraph comment section again using OpenID but since I've already authenticated myself there's no need to do it again.

These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]


TrackBack URL for this entry:

Listed below are links to weblogs that reference Authentication in 3D:


The comments to this entry are closed.