2FA vs. MFA in payments

Link to the author's page
July 4, 2023
Link to the author's page
2FA vs. MFA in payments

As the rapid growth of e-commerce transactions has proved a tempting target for nefarious actors, fraud has become an ever-present threat to anyone involved in the taking or processing of online payments.

Fortunately, businesses aren’t alone in the fight. Security systems like two-factor authentication (2FA) and multi-factor authentication (MFA) provide a solid line of defense against cybercriminals by requiring customers to complete multiple verification steps to confirm their identity and approve payments or access their accounts.

But how do 2FA and MFA differ? And is one preferable to the other when it comes to protecting online payments?

In this article, we explain exactly how 2FA and MFA work, how they fit into the regulatory landscape, and what to consider when choosing which authentication factors to implement.

What is 2FA?

Two-factor authentication (2FA) requires exactly two different factors of authentication and no more in order to access an account or approve a payment. This could be a combination of passwords, biometrics, and security questions. There are no restrictions on which two factors can be combined to constitute a 2FA.

Types of 2FA in Payments

2FA comes in many forms, with some combinations providing a more advanced level of security than others. Which factors you decide to implement could come down to your preferences, your customers’ preferences, or the capabilities of the systems you use. Here are some common types of 2FA:

  • Basic login details - this includes the customer’s username, password, and security questions. While basic and easy to replicate, they are still an essential component of 2FA and verifying a user’s identity.  
  • OTP - you can use SMS to send a unique one-time password (OTP) to your customer’s smartphone or another device. They then have a limited time to enter the password into the website or app in order to verify their identity. On their own, OTPs are still a fairly basic form of authentication.
  • Push notifications - when a customer attempts to log in to their account, you can send an email or SMS alerting them to the login attempt - usually with the time and location of the login - and ask them to confirm or deny access, which they can do at the click of a button.
  • Tokens - software tokens require your customer to have a free authentication app installed on their phone, which stores limited-time codes (or tokens) used to access various apps or websites. When they attempt a login, they must open their authentication app to check the relevant code and submit it to the website for approval.
  • Biometrics - biometrics, such as fingerprints, face scans, iris scans, and voice recognition, are among the most secure identification factors because they are completely unique to the user.

Benefits of 2FA

Basic factors such as login details and OTPs are more vulnerable to hackers as they are easier to steal and replicate. However, when combined with even one other factor such as tokens or biometrics, as when 2FA is requested, the effect is to create a much stronger form of customer authentication that a bad actor would find very difficult to imitate. And while 2FA lacks the even more robust multi-factor security of MFA, having fewer factors does provide your customers with a more frictionless user experience.  

What is MFA?

Multi-factor authentication (MFA) requires the customer to present at least three different forms of the identification factors listed above. For example, a password, combined with security information and a fingerprint. Or a mobile app combined with face ID and an OTP. Again, as with 2FA, different combinations of factors present more or less secure forms of authentication.

Types of MFA in payments

MFA relies on all the same possible factors as 2FA, including login details, OTPs, tokens, and biometrics, but requires the customer to provide a minimum of three factors instead of two.  

Benefits of MFA

Clearly, the more authentication factors are required, the more effective the security. More verification factors provide more opportunities to identify a fraudster and prevent a breach. When those factors, like a token or security key, aren’t accessed through online means, they are almost impossible for criminals to navigate around. That said, there is a trade-off between security and customer experience that needs to be taken into account. Having to complete multiple authentication steps for even the most basic action could be off-putting for your customers.

However, utilizing MFA has other benefits, including reduced security and customer service costs due to fewer successful breaches; and, by making it clear that your systems are robustly defended, boosted customer trust and loyalty.

Understanding payment authentication and Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) was mandated by the EU’s second Payment Services Directive (PSD2), which requires businesses to use 2FA or MFA for all customer-initiated online transactions processed in the European Economic Area or the UK. You can present 2FA or MFA to your customers by implementing 3D Secure 2.0 (3DS2), a security protocol designed to protect online card protection from fraud.

To comply with SCA requirements, the cardholder must provide at least two of the following three factors, often categorized as:

  • Something you know - email, password, security information
  • Something you have - mobile app, smart card, token, OTP
  • Something you are - biometric factors like a fingerprint, face ID, iris scan, voice recognition

If two of the above factors are provided, 2FA has been implemented to verify the cardholder. If three or more factors are provided, MFA has been implemented.

However, there are some exceptions and exemptions. For example, if your business’s bank and/or your customer’s bank is located outside the EEA or the UK, SCA does not have to be implemented.

What are the differences between 2FA and MFA?

The key difference between 2FA and MFA is that the latter requires an additional authentication step beyond the two required for 2FA. Technically, 2FA is a type of MFA, and both will utilize the same factors in order to authorize an action. This additional factor makes MFA a more secure option than 2FA, though 2FA is still a very reliable way to verify someone’s identity.

Is 2FA or MFA better for payments?

When it comes to payments, opting for maximum security by implementing MFA for every transaction isn’t necessarily the answer. As explained above, you must consider how to strike a balance between protecting your customers and providing them with as frictionless an experience as possible.

One way to do this is to only implement MFA for transactions above a certain value. For example, you might only require your customers to complete 2FA up to a ceiling of £100, as forcing them to go through multiple verification steps for even small purchases can be time-consuming and frustrating. As soon as they’re buying something of £100 or more, MFA kicks in. As there is more at stake, the customer will be happier to comply with providing additional factors for authentication.

You should also ensure to offer your customers as many different authentication choices as possible. That way, they will be able to choose the combination of factors that best suits their capabilities and requirements. You don’t want to restrict the range of factors you accept only to prevent a customer being able to complete the necessary authentication steps.

Explore authentication with Checkout.com

Whether you do business in the UK and EEA, and are required to comply with SCA, or you do business exclusively in the US, but want to implement robust security measures to protect yourself and your customers, Checkout.com has you covered.

Our 3D Secure Payment Authentication product helps you to fight fraud while remaining compliant and growing your revenue by deploying the latest 3DS version 2.2. Powered by rich machine learning, you can automatically route transactions via the most appropriate authentication flow, which maximizes the chance of acceptance and provides your customers with the most frictionless journey possible.

We also give you multiple options to suit different sales channels and business types. You can choose standalone to centralize all authentication in one place, with consolidated reporting, and customizable and non-hosted options; or use our 3DS product as part of our advanced payment platform, which comes with granular data, intuitive reporting, and more.

Find out more about Checkout.com 3DS Payment Authentication.

Stay up-to-date

Get Checkout.com news in your inbox.

Back to top button
July 4, 2023 12:26
July 4, 2023 12:37