At the crux of the standard is a desire to retire static passwords and to replace them with one-off passwords and biometrics to enable easier transactions at the point-of-sale. MasterCard says that if authentication was challenged at this point, cardholders could identify themselves with one-time passwords or fingerprint biometrics – as implemented on devices like Apple's iPhone and Samsung's Galaxy Galaxy S5 – rather than “committing static passwords to memory”.
Visa has helped to co-create the protocol which could be adopted in 2015 and eventually replace the original 3D Secure protocol (3DS 1.0). The 3DS 2.0 specification will be jointly owned by Visa and MasterCard and will operate separately and in parallel with the former version.
Under the plans, Visa will maintain sole ownership of the original protocol, including IP and the management of the specifications. However, there are no further plans to invest in the standard.
Ajay Bhalla, president of enterprise security solutions at MasterCard, said that the new standard aims to make things simpler for consumers, while ensuring that security is upheld.
“All of us want a payment experience that is safe as well as simple, not one or the other. We want to identify people for who they are, not what they remember. We have too many passwords to remember and this is creates extra problems for consumers and businesses, he said in a statement.
In response to the news, Phil Turner, VP EMEA for identity management vendor Okta, said that the standard would be welcomed by consumers who often either forget their passwords, or insecurely use the same one across multiple accounts.
“Between their work and personal accounts, consumers have a lot of usernames and passwords to remember, each of which has different password requirements and expiration cycles,” he said in an email to SC. “Add this to the hassle caused by constant password resets and remembering secret questions and it is clear consumers need a way to make this process easier.”
Adding that many people suffered from ‘password fatigue', Turner said that the password is one of many single sign-on technologies that may not be good enough.
“We've reached a point where usernames and passwords alone are no longer good enough. We've long had single sign-on technologies to remove the complexity of remembering multiple passwords, but what if someone else gets hold of that single username and password?
“Not surprisingly, multi-factor authentication – which requires two or more factors to verify legitimacy of the user – has taken off and evolved pretty substantially in the past decade and we're now seeing authentication methods becoming as personalised and specific to the individual as the experiences they're trying to access.”
In an email to press, Marta Janus, security researcher at Kaspersky Lab adds:“It's a really good approach and, if implemented properly, the new protocol will not only be way more convenient for users, but also much more secure. One time passwords are already widely used and considered much safer than traditional "fixed" passwords, even if it's still possible for cybercriminals to obtain and use them. But, combined with biometric checks, this will certainly make a strong alternative to any existing authentication method.”