An examination of the first European FIDO2 solution for payments, which was put to practical use at PLUSCARD by Entersekt and Netcetera. In a Europe-first implementation, in partnership with Netcetera, the FIDO authentication standard for payments was recently instituted at PLUSCARD, a full-service processor for numerous card-issuing institutions throughout Germany.
The solution, developed over several months, enabled secure, unrestricted card payments on the internet without needing a mobile device for mandatory two-factor authentication.
Uwe Härtel, Entersekt’s country manager for central Europe, offers an informative overview of this milestone project and the benefits afforded to cardholders.
The need for app-free strong customer authentication
Since 2019, Entersekt had been engaged in talks with long-standing partner PLUSCARD about the possible use of hardware tokens for strong customer authentication (SCA).
Although most cardholders were already using an app-based solution, it became apparent that a substantial number (PLUSCARD estimates between 10% and 12%) of cardholders were not willing to use a mobile device for authentication. This was due to either security concerns or simply not owning a smart phone.
Interested to learn more about FIDO and FIDO2? Click here to download our latest ebook, The ultimate guide to FIDO.
These customers needed a solution that enabled them to shop online and pay with their cards without having to use an app for two-factor authentication. At the time, the envisaged solution was a hardware token that followed the global and open FIDO standard.
FIDO-certified server and SDK development
So, in 2020, Entersekt began developing a FIDO server, which had to be certified by the FIDO Alliance before it could be put into practice. In December 2020, that certification was obtained. As a result, the FIDO server could be integrated into the Entersekt Secure Platform (ESP), while the corresponding web software development kit (SDK) was built in parallel.
It was then over to Netcetera to implement the solution at PLUSCARD, which was followed by a longer phase of joint and repeated testing. After all, the authentication flow had to work flawlessly on all mobile and web browsers.
Entersekt enables FIDO authentication for improved security, user experience and customer choice. Read more
On June 16, 2021, PLUSCARD went live with its new FIDO authentication solution, the first German FIDO implementation for payments.
Simple, strong customer authentication using FIDO
Today, PLUSCARD customers who have registered their credit cards for FIDO authentication can obtain either a physical FIDO token or opt for an existing FIDO token to use on their PCs. They must register their tokens on the PLUSCARD customer portal. The token is then linked to the customer's card so that all future online purchases can be authenticated, very simply, using a FIDO token. A FIDO token is a great deal more secure than SMS OTP and is therefore a better, safer choice.
A passworldess authentication solution with great future potential
In addition to physical roaming authenticators (USB FIDO tokens), platform authenticators are set to play a greater role in the medium term, too. In essence, by supporting the WebAuthn standard in co-operation with the corresponding crypto chips, a notebook or mobile phone will also become a secure FIDO (platform) authenticator in the future.
Given that PLUSCARD's solution was designed with both methods in mind, it holds a great deal of potential. We’re excited to be on board!
PLUSCARD, Netcetera and Entersekt presented the new FIDO2 solution for payments at ProfitCard Berlin on June 22, 2021. Watch the video(in German).