Fraud, Friction and the Future of Two-Factor Authentication: The Long-Term Potential of PSD2 and SCA

Piano Team

This article, by Piano CEO Trevor Kaufman, was originally published on September 22, 2019 as part of the International News Media Association’s “Satisfying Audiences” blog, under the title “Anti-fraud legislation may create less friction for news consumers.

If you’re an online media provider with a subscription or membership product — or really, any digital business interacting with users today — there’s something you’ll likely do anything you can to avoid.


Digital businesses and online media companies are dedicated to removing any potential friction from the user experience. And for good reason — online users have so much to choose from, they can easily get frustrated and drop away completely at the first sign that an experience isn’t going smoothly. Meaning friction is likely to affect your conversion numbers — a fact that Piano has seen in the sites we work with, where we see checkout completion rates decrease with the more steps there are along the way. Which is why, at Piano, much of our business is focused on creating a friction-free experience for our customers, to keep users moving quickly towards conversion.

There’s something else that’s also a concern to digital businesses, though — and even more so to banks and credit card companies. Fraud. According to the European Central Bank, “card-not-present” fraud (made up, for the most part, of online fraud) accounted for 73 percent of credit card fraud in 2016, for a sum of €1.32 billion that year.

Now a new set of regulations — which went into effect September 14 — has put both “fraud” and “friction” on the tongues of digital media providers across the European Economic Area (EEA) and European Union (EU). But while many media providers are worried that the anti-fraud legislation contained in the Revised Payment Services Directive (PSD2) will add more friction to their checkout process, the new regulations could in fact be the first step to a future that’s even more friction-free.

Fighting Fraud

Before I explain what I mean, let’s take a look at the regulations themselves and the adverse effects media companies are expecting to see from them — concerns that aren’t unwarranted, but may not be as long term as they believe.

To combat fraud — while also responding to a rising API economy and innovations in the digital payment market — the new regulations obligate payment providers to add Strong Customer Authentication (SCA) to their online checkout process. A two-factor authentication process, SCA applies to payer-initiated online payments for goods and services €30 and above, necessitating two separate steps before a credit or debit card payment is authorized.

There are some exceptions to the rules that I won’t go into here — and if you’re in the UK they won’t be regulated for another 18 months — but in most cases SCA requires multi-factor authentication based on at least two of the following:

  • Something you know (like a pin, a password or authentication questions)

  • Something you possess (like a phone or device)

  • Something you are (like a facial scan or fingerprint authentication)

For many of the media providers we’ve talked to, it’s the addition of a second step in the authentication process that’s the problem. Extra steps add friction, and for many companies that friction is more of a concern than the potential fraud the regulation hopes to address.

The Future is (More) Friction-Free

While the short-term effects of PSD2 may look negative, though, its long-term promise is exactly the opposite. Piano sees potential in the new regulations to help remove some of the friction that currently exists in the digital user experience, while giving media companies ownership over the important data that drives businesses today.

Consider the current authentication process. Driven largely by password access, it may be familiar, but it isn’t exactly friction-free. You just have to think of your own experiences to see that: the time you’ve spent figuring out which email address you used to sign into a given site, then the password you created to satisfy its unique number, letter, symbol and length criteria. All repeated across every site you want to have a relationship with, and escalated for large media companies, where logins may or may not be "federated," with a single sign-on across sites owned by the same parent company. Creating a different identity for every site under the same umbrella can be frustrating, but it can also be jarring to try to create an account on a site you've never been to, only to be told one already exists. It’s a common challenge for Piano's major media clients today.

Better options exist, but in a world where passwords are standard, they aren’t yet being used widely. SCA opens up the potential to popularize them, requiring that users try something new. While password access still remains an option under Strong Customer Authentication, so do alternatives like device validation and biometric authentication. The more commonplace this type of authentication becomes, the more likely it is to be built into laptops and desktops, making it more available to browsers. And wouldn’t it be easier to log in with a fingerprint, face scan or device tap than with a username and password?

In the long term, this technology — once it becomes widespread — promises to remove more friction from the transaction process.

Owning the Information

But it does more than that, too.

At Piano we see the shift to SCA’s two-factor authentication as part of a confluence of events that will begin to give publishers — as opposed to platforms — ownership over their logged-in users, as well as the data that results. Which means the locus of user information will shift from platforms and ad tech companies back to the publisher. User information will live only in a user's profile — a human-readable and human-editable repository on the sites they choose to share data with. And a logged-in user will enable those sites to understand their visitors better.

Right now, users tend to log into Google and Facebook, accessing sites through these third-party logins. It’s much rarer that they’re logged into the site they’re on. Which means Google and Facebook are able to track user behavior from site to site, even without the use of third-party cookies. But new developments like SCA — as well as Apple’s requirement that a logged-in user manually click to sign onto a second site — makes you sign in at every unique site, an easier experience if you have biometric or device-secured authentication. And that makes logging in through Google and Facebook less appealing, taking away their ability to track.

All of which leads back to biometrically and device-secured authentication. It’s both the safest and lowest friction avenue for consumers. And the new PSD2 regulations push us towards a future where it’s more common too.


Previous Article
Six Things to Know About Ad Blocking: How to Restore Revenue With the Right Response
Six Things to Know About Ad Blocking: How to Restore Revenue With the Right Response

With the right strategies, you can maximize your ad blocking detection to increase engagement further and, ...

Next Article
Look Beyond the Meter: The Future of the Metered Paywall
Look Beyond the Meter: The Future of the Metered Paywall

You can go beyond tracking pageviews and make the limitations of this new digital environment less of a fac...