By Tapesh Bhatnagar
We live in a digital world, where almost every transaction takes place online. Confirming the legitimacy of transactions and the identity of the parties involved requires payment authentication. According to statistics from the Reserve Bank of India, a significant increase in digital payment fraud in India was recorded during the fiscal year ending in March 2024, amounting to Rs 14.57 billion more than ever. Common cybercrimes such as phishing, malware, OTP fraud, and fake UPI links highlight the need to reassess our authentication methods. This statistic underscores the urgent need for robust payment authentication procedures.
The growing digitisation of the economy has spurred a significant shift in moving towards innovative payment authentications across India. It's important to recognise these developments as the number of digital payment transactions between 2023 and 2024 grew to 116.6 billion and continues to rise.
Quick Synopsis of Payment Authentication
One of the use case of payment authentication is to verify the user's identity to approve a financial transaction. This has traditionally been accomplished via techniques like One-Time Passwords (OTPs) and Personal Identification Numbers (PINs).
PIN: It is a popular technique for transaction authentication that requires customers to input a personal identification number. Although this approach is straightforward, it is susceptible to theft or carelessness. A survey found that passwords and PINs are hacked in 80% of data breaches.
One-time passwords (OTPs): They give an extra degree of protection by emailing a special code to the user's registered email address or phone number. OTPs are secure, but occasionally delivery delays or problems with mobile network access might worsen the situation.
The limitations with traditional authentication methods like passwords, PINs, and OTPs are that these methods rely on "shared secrets" i.e. there is a server in the bank’s control which validates the credentials provided by the user. Since these shared secrets can be intercepted, they are vulnerable to phishing or theft. This exposes users to a higher risk of fraud. From a user experience standpoint, remembering numerous passwords can be frustrating and time-consuming. Additionally, traditional MFA methods like SMS-OTPs can be inconvenient and susceptible to Phishing and SIM swap frauds.
Innovation in Authentication for Payments
The methods of payment authentication are evolving along with technology, providing more simplicity and security by:
Biometric Authentication: Biometric authentication has become a cornerstone in enhancing security and user experience in the financial sector. By utilising unique biological characteristics like fingerprints, facial recognition, or iris scans, biometric systems provide a level of protection that is inherently difficult to replicate or steal. This technology, integrated with FIDO-based global standards, offers a seamless and secure method of authentication, where the second factor remains invisible to the user. In banking, this approach aligns perfectly with the need for Strong Customer Authentication (SCA), ensuring that sensitive transactions are carried out only on trusted devices, making two-factor authentication feel as effortless as a single action.
Passkeys, driven by the FIDO Alliance, have emerged as a crucial advancement in this landscape. Unlike traditional passwords, passkeys use cryptographic key pairs, significantly enhancing security. When combined with biometric authentication, passkeys allow users to unlock their accounts or authorise transactions simply by using their biometrics, like a fingerprint scan or facial recognition.
This synergy between passkeys and biometrics not only provides a robust defence against fraudsters but also offers an intuitive and user-friendly experience. In particular, device-bound passkeys, tethered to specific devices, add an extra layer of security, making them the gold standard for financial institutions looking to meet stringent regulatory requirements while offering unparalleled convenience to their customers.
Contactless Payment Cards: These cards allow customers to pay by only tapping them on a POS terminal. They do this by utilising near-field communication, or NFC, technology. Through wireless communication, the card and POS terminal securely authenticate the payment information.
In addition to being practical, this approach lessens physical contact — something that has proven especially crucial in the post-pandemic environment. Contactless payments are made possible by smartphones that can emulate payment cards thanks to host card emulation (HCE) technology. Just like contactless cards, users may conduct purchases simply by tapping their phone on a payment terminal. This invention blends the security of traditional card payments with the portability of mobile devices. Research claims that mobile wallet payments in India will surpass $6 trillion by 2028.
Pertinence to Indian Clientele
Robust authentication mechanisms are essential in light of the global surge in payment fraud. Secure and yet seamless authentication is crucial in India, where digital payments are expanding rapidly. Companies need to be aware of and use these authentication techniques to give their clients a secure and effective payment experience while meeting legal requirements.
For Indian customers, contactless payment cards, mobile wallets with HCE technology, and biometric authentication provide many benefits. These developments improve security while streamlining and expediting the payment process for increased convenience and speed.
Highlighting the Key Benefits of Innovation
Innovation is driving a revolution in digital payment systems, bringing a wave of benefits for both consumers and businesses. Here are some of the key advantages:
Enhanced Security: Innovative methods for verification significantly reduce the risk of fraud and unauthorized entry. For example, transactions can only be approved by the rightful owner of the biometric data through biometric verification. Since contactless payment cards are always in the user's possession, there is a lower risk of card skimming or duplication. Payment details are encrypted in mobile wallets using HCE technology, providing an additional layer of security.
Better Usability: By streamlining the authentication procedure, these advances enable users to execute transactions more quickly and easily. For example, biometric identification enables users to quickly and easily confirm their identity via a fingerprint or face scan. Quick transactions are made possible by contactless cards and mobile wallets, which eliminate the need for PIN entry or OTP waiting.
Trust and Confidence: Customers' faith in digital payment systems grows as they become more conscious of the security precautions in place. Users are more likely to embrace and stick with digital payment systems if they are aware that sophisticated authentication techniques are protecting their transactions.
In recent developments, the Reserve Bank of India has issued draft guidelines towards an Alternate Authentication Framework which brings renewed focus on security as well as usability in digital payments.
There is a need to advance from basic Passwords/PINs or OTPs to advanced contactless and biometric authentications to safeguard digital transactions, particularly in the wake of rising cyber threats and the increasing sophistication of fraud techniques. To stay up with changing customer expectations and security risks, payment authentication must continuously evolve. We may anticipate increasingly more convenient, safe, and user-friendly authentication techniques as technology develops.
In the digital age, SecurityTech leaders like G+D are at the forefront of transforming payment and banking experiences with human-centric security technology. Their expertise lies in delivering industry-standard certified solutions, such as FIDO, that help financial institutions protect their customers.
(The author is the Head, Digital Solutions, Financial Platforms, G+D)
Disclaimer: The opinions, beliefs, and views expressed by the various authors and forum participants on this website are personal and do not reflect the opinions, beliefs, and views of ABP Network Pvt. Ltd.