2FA Alternatives: 3D-Secure v2 and the problem with 2FA

Customer experience at an expense

3D Secure (3-Domain Secure) was introduced by the PCI as a security standard for online transactions. Backed by Visa, Mastercard, American Express, UnionPay, Discover and JCB, the protocol was designed specifically as an extra layer of security for card-not-present transactions online. You may know it in the form of “Verified by Visa” and “Mastercard SecureCode” — the box that pops up when you complete a purchase online.

Fraudsters are targeting card-not-present transactions. Consumers still tend to pick easy-to-remember passwords and this is a simple process for fraudsters to breach.

Version 1.0 of 3D Secure did improve security, but at the expense of the customer experience. The system authenticates cardholder information, usually requesting a password or PIN. These extra steps are not a great experience, and the service is only available in browser-based transactions. This leads to a more frustrating customer experience and a tangible drop in sales conversions — users simply cannot complete the transaction, or give up when they cannot remember their password.

Version 2.0 of 3D Secure has since been introduced. The aim of the new standard is to further secure these transactions whilst improving the customer experience and adding mobile applications into the mix. The system now allows for replacements to passwords such as:

1. Biometric identification — face, fingerprint or voice recognition.
2. Two-factor authentication (2FA) — using a username and password, but also something the user has unique access to, such as a phone.
3. Risk-based authentication — allows issuers to make decisions based on additional data about the transaction, merchant and cardholder.

The introduction of 3D Secure version 2.0 brings stronger authentication, mobile transactions and an improved user experience.

However, TMT ID believes there are still some improvements that can be made. As an example, 2FA still has the potential to be intercepted and falsified by fraudsters due to the nature of SMS and email as the communications medium.

Alternatives to 2FA and the solutions

Organisations implementing 3D Secure v2.0 standards will need to consider a number of elements during rollout. TMT ID has designed a solution that will enhance and simplify the implementation: Verify.

TMT ID’s Verify product is a comprehensive mobile identity verification solution designed to validate and authenticate customers globally using their phone numbers. By leveraging authoritative data sources, including live intelligence from mobile network operators and regulators worldwide, Verify provides real-time insights into billions of mobile numbers.

Key features include:

• Customer onboarding: Verify ensures seamless and secure onboarding by confirming that a customer’s mobile number is real, active, and matches the personal information provided, such as name, address, and age.
• Fraud protection: the solution guards against account takeover fraud, including SIM-swap attacks, by alerting businesses in real time to potential risks.
• Data cleansing: Verify performs real-time liveness checks to identify inactive or redundant mobile numbers, allowing businesses to maintain accurate and up-to-date customer databases.

OTP vs 2FA

In the realm of digital security, it’s essential to distinguish between one-time passwords (OTPs) and two-factor authentication (2FA), as they serve different purposes and offer varying levels of protection.

One-time passwords (OTPs)

An OTP is a unique code that is valid for a single login session or transaction. Typically, OTPs are delivered via SMS, email, or generated by an authenticator app. While they add a layer of security beyond static passwords, OTPs — especially those sent via SMS or email — are susceptible to interception, phishing and SIM-swapping attacks. Relying solely on OTPs may not provide sufficient protection against sophisticated threats.

Two-factor authentication (2FA)

2FA enhances security by requiring two distinct forms of identification: something you know (a password or PIN) and something you have (a physical device such as a smartphone or hardware token). By combining these factors, 2FA significantly reduces the likelihood of unauthorised access, even if one factor becomes compromised. Modern implementations often utilise authenticator apps or hardware tokens to generate time-based codes, offering a more secure alternative to SMS-based OTPs.

Key differences

• Security level: while OTPs provide an additional layer of security, 2FA offers a more robust defence by combining multiple authentication factors.
• Vulnerability: OTPs transmitted via SMS or email are vulnerable to interception and social engineering attacks. 2FA methods that use authenticator apps or hardware tokens are less susceptible to such threats.
• Implementation: OTPs can be a component of 2FA but do not constitute 2FA on their own. True 2FA requires the combination of two different authentication factors.

While OTPs can enhance security, implementing comprehensive 2FA solutions — preferably those utilising secure methods beyond SMS or email — is advisable to safeguard against evolving cyber threats.

For more information on how TMT ID can help with 3D Secure and 2FA enhancements, please contact us.