Why Online Retailers Need 3 Levels of Authentication
Most online retailers allow their customers to register for an account when placing an order. When that customer returns, once they login to their account, the customer can:
- checkout using the information you have on file for them
- change their address information
- review past orders
- add products to wishlist
- add items to a shopping cart that they can later access on another device
It sounds very reasonable but there is actually a fundamental flaw here.
Keys to the kingdom
With the exception of the most sophisticated online retailers such as Amazon, most ecommerce sites treat user login and authentication as an all or nothing proposition. A customer is either not logged in and they can't perform ANY of the above actions or they are logged in and they can perform them ALL.
First, this 'black and white' approach results in a diminished user experiences as it forces users to have to go through the login process for actions that don't really require ANY security (i.e. adding to a cross-device cart or wishlist).
Second, it doesn't differentiate between data access that doesn't have any meaningful value to a cybercriminal like viewing order history, and truly fraud-sensitive situations such as using a different shipping address. The net effect is that retailers are unable to protect themselves from phishing attacks with techniques such as 2-factor authentication without degrading the user experience for the 90% of authentication situations that are not attractive to fraudsters.
To improve this situation, instead of always requiring a login and giving the logged in user all keys to the kingdom when it comes to their account, you, the retailer, can upgrade to a 3-level authentication system:
- Cookie-based identification. A persistent cookie in the web browser allows you to identify a returning customer who previously logged in or registered on this device. Because this computer might be a shared or public computer, such identification is NOT sufficient to allow the user to view the address, order history, etc information you have on file for this customer. But it IS sufficient to allow items to be added to a cross-device shopping cart, wishlist, etc.
- A logged-in user session. In this session, the user can see all their information and place an order to be shipped to their previously used address. Because the full credit card number you have on file is never displayed to the user, this level of access is actually unattactive to cyber thiefs. Consumers' contact information is readily available from much easier to obtain sources than hacking retailer authentication and having a package delivered to the actual customer and not to the hacker doesn't do them any good.
- Two-factor authenticated login. Short of calling every customer to verify their order, this is the only viable mechanism of protecting yourself and your customers not only against brute-force password guessing, but also against phishing attacks, which in the mobile era are increasingly easy to pull off. (See this post for more on the scary world of mobile phishing.) This level of authentication should be required whenever a user wants to perform an action that would be very valuable to a fraudster, such as placing an order to be shipped to a different address or to be picked up in store by a different authorized person, changing the email address on file, etc.
2-factor authentication
In computer security, an authentication factor refers to an independent verification of your identify through one of these three aspects:
- Something you know. For example, your password or other non-public information such as your favorite movie.
- Something you own or have access to. For example, your smartphone, your email account, your web browser that has been previously verified through your email or SMS.
- Something you are. This refers to biometric factors such as your fingerprint.
You are probably familiar with the common 2-factor authentication technique utilized by banks such as Chase. The first time you try to login with your password (factor 1) from a new device or web browser, the bank sends a text message to your phone with a code (factor 2) you then enter into the web browser. After this, your web browser is marked as authenticated via SMS and becomes the second factor. As a result, in 90% of bank logins, the 2-factor authentication is still present but is completely seamless to the user.
Although using multiple factors of different types is preferrable (i.e. something you know and something you own), obtaining two independent factors of the same kind is also acceptable, especially when they fall into the more difficult to forge types such as biometrics or access to your phone or email. What this means is that to achieve 2-factor authentication, a web site can use the user's web browser as one factor and a one-time pass code sent to the user's phone as the second factor, thus completely eliminating the need for a user-created password.
This is exactly what our CardPass password-less login solution does and in the process it not only eliminates all the password hassles for your shoppers, it also enables 2-factor authentication and thwarts phishing attempts because the browser authentication factor would only be accessible on your real site, not a phishing site setup by a hacker.
2-factor authentication and phishing
It's important to realize that code-entry-based 2-factor authentication approaches such as the bank example above are not inherently phishing-proof. With a proxy-type of phishing site that forwards everything to the legitimate site, hackers can trigger the site they are targeting to send the one-time code to the user who will then enter the code into the phishing site. The bank will have doubly the verified it was really the user who logged in this time but they won't know the phishing site is in between them and the user and now has access to this login session.
On desktop web browsers you can clearly see the web site address, plus Extended Validation (EV) SSL certificates result in a green bar, whereas a regular wildcard certificate that might be used by a hacker on a phishing site would not. In text messages sent by CardPass, we also remind the shopper to only enter this code on the domain we are securing.
However, on the small screens of mobile devices, the location bar is not visible and can be scrolled off, nor do EV SSL certificates look any different. Relying on the user, is therefore not an acceptable defense against phishing. What CardPass does is actually put a link in the text message for mobile users to tap on. This link guarantees that the user will be taken to the real retailer web site and not a phishing site. It also happens to require even less effort for the customer to login than entering in a code.
Note that strictly speaking CardPass authentication through a link is only a single factor of authentication but because it is phishing-proof, it provides for sufficient security to be used for fraud-sensitive third-level authentication.
How the third authentication level works in practice
3-level and 2-factor authentication may sound complex but when implemented well, it's actually very simple and frictionless in practice. Let's walk through the common scenarios:
- A shopper makes her first purchase from you. After completing checkout an email is sent to her with a special link back to your site (i.e. to view the receipt). After clicking through this link, the web browser she uses is marked as a verified authentication factor (and you also verify her email address at the same time). All subsequent logins in this web browser on your site are 2-factor authenticated and guaranteed that she is not being phished. This covers probably 70% of your returning customer purchases.
- That same customer returns to your site but from a different device, i.e. her smartphone. She logs in and places an order to be shipped to the same address she used last time. She is not 2-factor authenticated but, as we've seen previously, this is not a fraud-sensitive situation so it's not necessary. This probably covers another 25% of your returning customer purchases.
- What if that returning customer is on a new device and wants to ship to a different address? When she is not 2-factor authenticated, she is not able to change the address in the checkout forms. Instead you instruct the customer to click on a link in the email you've just sent to her to continue her checkout with a different shipping address. Probably only about 5% of returning customers will have to do this and only the first time on each new device.
This multi-level authentication system is fairly easy to set up, though there are some important technical details that have to be done correctly for proper security and anti-phishing protection such as time-limted authentication codes, cryptographically strong tokens, not using cookies in a way that enables Cross-Site Request Forgery attacks, etc.
Our CardPass password-less login solution only takes a few lines of code to integrate into your ecommerce site and takes care of all these details for you. As mentioned above, it also has the benefit of making all mobile checkouts 2-factor authenticated.