Frictionless Web Payments with Cryptographic Cardholder Authentication

摘要

The 3-D Secure protocol, introduced 20years ago, aims at reducing online credit card fraud by authenticating the cardholder. Version 2 of the protocol, not yet deployed, addresses usability problems that have hindered the deployment of version 1 by introducing a fric-tionless flow for low risk transactions. But the frictionless flow does not authenticate the cardholder. Instead, it requires the merchant to send information to the issuer through a back channel, potentially violating the cardholder's privacy. The paper analyzes the usability, privacy and security provided by 3-D Secure 2 and proposes an alternative protocol, simpler and less expensive to implement, where the cardholder is authenticated with a cryptographic credential stored in the cardholder's browser with zero friction. The scheme can take advantage of a native bank app in the cardholder's device to further authenticate the cardholder by fingerprint scanning or face recognition as made available by the device, and can be used for credit card purchases made on the merchant's web site or on a merchant app.