Google Secure Payment Authentication (SPA)

Posted on by

Read First – Blog on SPA from Checkout.com

Background Reading – June blog eCom politics and Scenarios, and Identity, Authentication and Risk

What’s the big news here? SPA allows Google to stand at par with ApplePay in providing the best-authenticated checkout experience. Google looks to have taken TWO MASSIVE pieces out of the authentication process: 1) 3DS handshake (putitting in Cryptogram and 2) A step up from the Issuer (possibly – a significant portion of this blog). This is a generational improvement and massive simplificaiton of the current 3DS flow.

The mobile platform is key to authentication and Google is the preferred partner of every bank, merchant and network. Their challenge in SPA? Doesn’t seem Checkout.com coordinated with the networks on SPA (ie liability shift OR step up). I think it will get worked out as the quality of this innovation is just fantastic.

As I wrote in June, ApplePay 2.0 plans to cross the chasm from mobile only to desktop (as announced at WWDC). Google is proving that they have the same capability, as Chrome makes up about 10-12% of eCom and over 30% of guest checkout at most retailers; they are positioned well (particularly in Android markets).

Key Take Aways

    • Best in class innovation that can be broadly applied to across all schemes globally (with Issuer support).
    • Perfect Authentication virtually eliminates most types of fraud. That’s very relevant to merchants with high decline rates. The challenge in ANY scheme working to improve fraud or approval rates is participation of the Issuer. Merchants and issuers working together typically requires a network to scale
    • A liability shift must be supported by: 1) rule (ex DAF/TAF+3DS), 2) bi-lateral agreement or 3) by law.   The step up authentication required of banks (by SCA) is independent of 3DS. It is the bank’s responsibility to determine whether a solution is SCA complainant or not (as banks hold the compliance obligation). While the Checkout.com may supply the data for 3DS (ex device data and cryptogram), the enhanced approval and cessation of step up is in control of each bank (or as required by network rule). I don’t think Checkout.com has these approvals, I think they have a solid case for why it should be SCA compliant, but banks have to agree on the format for receiving the information (ie signed cryptogram), and undertake a compliance review as to the confidence in the tech solution. This means the tech is all there, the operations and Issuer acceptance of the tech solution is not (yet).
    • Google and Apple have a unique role to play in all authentication schemes, as they provide the secure device managing certificates and binding a person, device and account to a phone. Apple’s secure enclave has been part of iPhone’s since day 1. Google has picked up a renewed focus with the integration of the Titan M2
    • Apple deploys its authentication capabilities only within ApplePay. As announced in June’s WWDC, they plan to expand ApplePay to all platforms and browsers. They have been told by issuers that they are enemy #1 even though they are the most card friendly BigTech on the planet. Regulators are working to break open the secure platform, but I don’t see that happening as there are many other schemes and mechanisms to do this (ex GSMA’s eSIM based SE). 
    • Google plays in many more payment schemes globally (ex UPI and PIX). Google sees the broader need and opportunity to separate payments and identity. Google is the preferred partner to just about everyone and have a world class  team. 
    • The key to providing “authentication” services is to enable the verification of a credential accepted by another party. This could be a payment credential, or a credential issued by the RP , or an ID that must be accepted (ie regulatory eID). 
    • There are coverage gaps today for all wallets and platforms. Apple works w/ iPhone and Safari. Google works w/ Android. 
    • Banks have a need for authentication beyond cards, such as RTP, APP online banking access and service authorization. 
    • Banks are also uniquely positioned as the only ubiquitous identity-proofers. This flows from their regulatory KYC/KYB requirements
    • Visa and Mastercard must provide a common solution that works for everyone, on every device and in every interaction. They also must manage the rules and governance around identity within their networks. It’s just not an option. 
    • We have a giant Venn diagram. Apple/Google can provide authentication to all UCs, but require a provisioned credential and their unique device. It is possible for Google and Apple to work directly with Issuers to define an authentication protocol that only works for their respective devices. But this will be challenged to scale across the network. Device bound cryptography is both more secure and meets regulatory requirements (ex SCA in Europe). 
    • What’s to stop everyone from working in harmony? It’s not technology. But rather governance and economics. 
    • As incumbent leaders in authentication, Visa and Mastercard are best placed to move this ball in payments and assist banks in monetizing their identity proofing role. But this ALSO means creating economics for Google and Apple to participate in creating and enhancing the secure platform. 
    • Banks will gain a new revenue line in identity if they can partner with BOTH V/MA AND Apple/Google.  The next best alternative is government and sovereign identities.
    • PayPal? While Braintree is on a continued tear, with growth in recurring transaction volume likely to juice incremental, branded is in trouble. Loyalty will keep core branded volume stable, however NNA and other customer metrics will see impacts starting mid next year in the 5/10% range. Authentication will change everything. 

Authentication Background

Visa and Mastercard are the identity infrastructure of the internet because of the payment + identity bundle. The unbundling of identity is a big deal (see Adios 3DS Hello FIDO and Role of Identity and Trust in eCom). The major innovation in the unbundling of identity is the phone, as it can provide a secure immutable platform that can bind a person, account and biometric to a device. The verification of an identity is known as authentication. Cryptographically it involves the issuance and binding of an identity credential to the phone, and the devices ability to uniquely sign the credential to prove that the transaction came uniquely from the device (see Apple tech overview). 

Authentication is a primary process in every commercial and legal interaction. Today, there are a “1000 flowers blooming” across industries, many parallel efforts attempt to guide the structure, protocols, exchange, and assertions associated with identity. For example,

  1. Payments – AVS, CVV, tokenization, CTF, DAF, 3DS, payee confirmation (UK), UPI, PIX
  2. Crypto/DeFi – DAOs, Authentication Provider, Oracle, 
  3. Web 3.0/Metaverse – Decentralized Identifiers (DIDs), Verifiable Credentials (VCs)
  4. Government – Adhar, EDL, ePassports, eID (EU)
  5. Healthcare (NIST-800-63-3, RFC 3647, OIDC, UDAP, …etc)
  6. Authentication (FIDO, eIDAS2-EU, EU Digital ID Wallet, OAUTH2, …etc.)

India led the way with identity innovation in UIDAI and Aadhar. Over the last 6 years, Europe has been the source of most identity innovation within eIDAS (see Identity Models, Government and Governance). Europe’s eIDAS envisions a government role in leading the next phase of a secure internet, and enabling of local payment schemes and eGovernment services. Per typical EU “standards” there are no economics for any of this and the central directive hasn’t rippled down through banking law. So while eIDs are issued within a country, interoperability is defined technically but failing because there is no “trust” in the issuance of IDs across countries. Furthermore banking law has not been updated to require banks accept eIDs. 

Figure 2 – Exploration of Open Identity Standards – okta

Payments – 3DS

The card networks have worked for 20 yrs to improve eCom process with 3DS as the focus  (see eCom Politics and Scenarios). PayPal Fastlane and card based Secure Remote Commerce (SRC) are also planning to tackle the same problems in FIDO enabled checkout.  3DS existed before the days of platform based biometrics and cryptography. The 3DS spec allows for enhanced device data to flow from merchant to issuer in an eCommerce transaction. For example, an eCom translation covering me, the device should not have  a time zone set to Korea and a language set to Mandrian. Issuers can use this device data to build a risk model that would improve transaction authorization. 

Within the EU, 3DS has been in the market since 2008. Secure Customer Authentication (SCA) requires EU Banks to “step up” 50% of their transactions. Many of the EU banks like to show their brand (and value) within an eCom transaction. This means getting an OTP or a biometric authentication on your phone or online banking app. This “step up” has been a nightmare for merchants, with over 50% of EU merchants opting out of the liability shift and taking on the risk/fraud management themselves. 

Given my 20+ blogs on the subject, a quick recap 3DS issues:

  1. Issuer incentives to make 90% frictionless work. This requires bank investment in data science. CapOne is the model bank outlined in this MRC blog with the Stripe Issuer network). 
  2. No standardization of device data going to the Issuer to build the issuer risk authorization model
  3. Merchants unwilling to share any eCom data with Issuers (see data games)
  4. There is a long history of failure of 3DS (see Article). 

FIDO and Device Based Authentication

FIDO passkeys are currently the best technical model for authentication. The FIDO standard is bilateral exchange of information between two parties (ex consumer and Facebook). Think of them as storing a digital “key” within your device (ex Chrome browser) that provides you access next time you log in.  Today, Apple and Google face challenges in SCA’s device binding requirement (ie cloud based synchronization of credentials).  FIDO is evolving in many respects, including the addition of a 3rd party that issues keys to be validated by an RP. 

In this state of “standards flux” Apple and Google have developed “better’ proprietary solutions. Apple’s are only available within ApplePay. Per the Checkout blog, Google has further improved the CX to provide a signed identity to Issuer within the authorization message.  The consumer experience is fantastic. The security improvement in this scheme over 3DS can’t be over emphasized. However to accept the credential, the Issuer must have control of the source of the credential and the phone binding process (ie provisioning). 

The challenge for Google and Apple is that their schemes won’t work across  handset operating systems. The challenge for V/MA is that banks may view SPA as the authentication solution for every payment type (card and non-card). Google has always welcomed more open use of its services.  

Governance within the Authentication process is required both within and across domains.  From my blog Identity, Authentication and Trust. Anyone looking to bridge a domain must have a role in both, for example a regulated bank and a cryptocurrency. Within consumer-focused activities, what entities are likely to be most successful in bridging domains? 

  1. Define rules, roles and governance
  2. Holds the most complete view of a consumers identity
  3. Ability to authenticate and authorize a permissioned actor 
  4. Organize and manage economic incentives for all parties
  5. Ability to bear risk, or hold the counterparty accountable for fulfilling commitment
  6. Attract a critical mass of participants
  7. Manage operations of the end-end process (globally)
  8. Take action across domains
  9. ???Support decentralized model

Today Apple/Goog and V/MA are best placed to win (see Cointelegraph – Cards bridge Web3 and Web2).

Trust and Governance 

Visa and Mastercard provide the rules and governance structure for operations within their network (payments domain). Checkout.com may have the ability to place a cryptogram into a ISO 8583 field. But for that to get routed to the Issuer and for the Issuer to act, it requires network support. Similarly, Issuers must know “how” to respond to a signed data payload.  Google and Apple could work directly with issuers to pass information around the networks, but this model is hard to scale. 

Governments are set to deploy digital identity (eID, State Drivers license, national ID). But the rules which force banks to accept this IDs are not here today.  Innovation in networks is so hard. 

Predictions

  • Google SPA will be the best in class digital identity and authentication model in all payment types
  • Apple will be successful in holding off regulators and maintain ApplePay as the only mechanism to use its secure platform in payments.
  • ApplePay will succeed in expanding to desktop with Google as its top competitor
  • Google will be the preferred partner of EVERYONE as they are the only entity willing to test and iterate. 
  • Visa and Mastercard will build a FIDO based authentication platform that works for all devices and all customers in Payment Passkeys. 
  • Card networks will unlock the economics of identity for Apple/Google and Isssuers and continue their role as the ID infrastructure of the internet. 
  • Perfect authentication will create significant financial impact on PSPs by 2027. 
  • EU banks will succeed in SRC wallet and ApplePay will not significantly grow EU volume outside of iOS.
  • The US version of SRC (Paze) will only succeed with a new CEO capable focusing the Issuers. I believe the most important core innovation of SRC globally will be an authentication model that will support all wallets and all issuers. The wallet itself needs to do so much more than payments, I just don’t see banks winning here. 
  • Banks will gain a new revenue line in identity if they can partner with BOTH V/MA AND Apple/Google.  The next best alternative is government and sovereign identities.

PS

I’m pretty passionate around this stuff. Not only do I see identity as key for network revenue growth, I see it as a driver of new GDP growth improvements in identity unlock new sources of capital and the more efficient deployment of resources. The future of the “web” looks a lot more like a commercial network than it does a blockchain based web 3.0. Thats the subject of my next blog. 

Also. I’m in the midst of forming a cross industry “identity interoperability lab” with first focus on payment. Lining up the charter members now with an eye toward 2025 launch. More to come. 

Please Login to Comment.