TypingDNA has released a primer that explains how merchants and financial institutions can use typing biometrics to protect Card Not Present (CNP) transactions. The primer specifically highlights PSD2’s updated 3-D Secure protocols, which require Strong Customer Authentication (SCA) for any CNP transaction.
In that regard, TypingDNA explains that the updated 3DS 2.2.0 protocols allow for the use of passive, out-of-band forms of authentication. That, in turn, allows online retailers to integrate decoupled authentication techniques into their own websites.
From the consumer’s perspective, those rules will support a more frictionless payment experience. In the past, customers would be sent to a pop-up window to complete the authentication process. With the new rules, websites can use passive behavioral biometrics to analyze people’s typing patterns while they are entering payment information, so a person’s identity can be verified without the use of a separate pop-up screen.
TypingDNA argues that those kinds of integrations will reduce abandonment during checkout. It can also shift some of the fraud liability from merchants to credit card issuers, since the 3DS2 server can be hosted by a payment service provider or a third-party server.
Of course, online retailers can still use pop-up windows if they so desire. Those windows can pair common authentication modalities like passwords, SMS codes, and face and fingerprint recognition with keystroke dynamics to deliver a higher level of security.
TypingDNA has repeatedly argued that organizations should consider keystroke dynamics as they update their security practices to meet the incoming PSD2 requirements. The European Banking Authority has determined that typing biometrics are a secure form of authentication.
June 22, 2020 – by Eric Weiss