Is Mobile Authentication Really E-Commerce’s Best Shot?
By Evan Schuman /
13 Jul 2016
As e-commerce businesses struggle with payment fraud—affectionately known in the payments world as CNP (card not present) fraud—strategies all come down to a single concept: authentication. With a physical CP (card present) transaction, there are plenty of easy ways to authenticate. In a virtual reality, that task becomes a lot more challenging.
Unless the shopper is using an EMV reader attached to their laptop or mobile device—which simply isn’t going to happen any time soon, if ever—EMV doesn’t help e-commerce authentication. There are certainly some methods to discern a digital fingerprint online, such as noting the OS version, which apps are used, IP address, even recently used contacts. But here’s the grim reality: No approach for authentication is perfect.
The quest for a friction-free payment experience
Ultimately, every e-commerce manager must weigh authentication accuracy against friction. After all, the purpose of an e-commerce site is to make sales… and the more difficult and time-consuming the buying process, the greater the chance that the site will lose the sale. Friction is overwhelmingly the largest cause of abandoned carts.
We therefore have to face a series of choices. Behavioral analytics—depending on the vendor behind it and the information available on the shopper—can typically deliver a pretty high probability that the transaction is legit. Biometrics—such as a smartphone’s finger-scan—can deliver even better accuracy (closer to 97%), but it comes with a lot more friction— which means more shopper effort. In short, the more accurate the authentication, the more friction is involved—and still, neither approach gets you to 100%.
In the long term, behavioral analytics is going to be the least intrusive approach, generating zero friction. In the short term, though, mobile biometrics could be a convenient temporary move to get users authenticated and to do so using a device with which they’re already comfortable.
Apple’s push for e-commerce authentication
Apple is now toying with just that option. In its developer rollout of iOS 10, Apple said the new OS will allow e-commerce transactions (done with users working on Safari browsers with some Apple desktop hardware) to be authenticated by an attached iPhone. The heart of the authentication is biometrics – specifically a fingerprint scan done by the phone, which in turn accesses payment cards stored on an Apple server.
This fingerprint scan capability exists both with a healthy chunk of Apple handsets along with a smaller percentage of Android handsets. As the percentage of iOS and Android phones supporting biometrics sharply increases—as is widely expected to happen over the next two years—and the percentage of shoppers who have such phones also increases, this is looking like a viable e-commerce authentication option.
Although it’s true that m-commerce transactions are also expected to soar in that timeframe, Apple’s also aiming to add authentication to desktop and laptop-based purchases as well. Merchants would love to have this capability enabled, since shoppers tend to make larger dollar-value purchases on desktop than they do on mobile.
But will consumers put up with the added friction?
Here comes the difficult part, which is where fraud managers run into conflicts with e-commerce chiefs. One of the problems with getting people to pay for content on the Web has been that they’d gotten used to getting it for free for many years. Convincing someone who has long used something for free to pay for it is challenging.
It’s a quick ride from that paid content problem to the risk of introducing a new layer of e-commerce authentication. E-commerce shoppers are used to decades of experiencing almost no noticeable e-commerce authentication. The benefit of some of the digital fingerprint and behavioral analytics techniques mentioned earlier is that they’re entirely invisible to the shopper. In an e-commerce reality, invisibility means no friction.
That’s the problem with the Apple approach. By its very nature, it is stupendously visible to the consumer and will feel like extreme friction. Granted, it will potentially deliver less friction when onboarding (giving name, address, email address, etc.) some participating merchants for the first time, but it will involve associating the phone with the desktop/laptop and then scanning a finger. It will be a very different experience compared with the effortless one that Amazon, for example, has been delivering. Different equals behavioral change, which equals friction.
As EMV and other security improvements push fraud from in-store to online, better online authentication will be essential. But robust authentication will involve more friction for the e-commerce shopper. Using mobile devices that many shoppers already have in their pockets is potentially a good way to bridge the fraud gap, but it’s not an ideal fix. Better analytics is the way to go.
Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for CBSNews.com, RetailWeek, Computerworld, and eWeek.