Why Two Factor Authentication Is A “Conversion Killer” & “Blood Pressure Booster”

by

Any digital payment goes through a long and tortuous value chain comprising multiple entities.

If we take credit card as an example, the entities include Consumer (e.g. You), Merchant (e.g. Amazon, DMART), Issuer (the bank that issues the card and enables the Consumer to make card payments e.g. Citi), Acquirer (the bank that supplies the POS terminal and enables the merchant to accept card payments e.g. ICICI Bank), Card Network (e.g. Visa, MasterCard, RuPay), Electronic Payment Gateway (e.g. Bill Junction), Payment Service Provider (e.g. PayZapp) and Mobile Network Operator (e.g. Vodafone).

Given below is the process flow diagram for a credit card transaction (Scenario: Card Present / In-store i.e. payment at the checkout of a brick-and-mortar store).

Credit Card Payment Process Flow

Each player processes a part of the payment and forwards it along to the next player in the value chain. To that extent, the card payment rails resembles a power train made up of several moving parts, each of which is fully automated via software.

Here’s a nice video illustrating what happens behind the scene (along with a history of credit card).

In a card payment subject to two factor authentication, there are typically five moving parts. When a Consumer pays by card on the Merchant’s website, they’re shunted around from one moving part to another. One tells them to enter their card details (card #, etc.), another prompts them to enter their password (e.g. VerifiedByVisa), and another sends an OTP (One Time Password) to their mobile phone, and so on. The Consumer is confronted by several systems, each with a different UI, flitting around the screen, one after the other in rapid succession. This causes a lot of anxiety. In response, some Consumers abandon the payment midway. The Merchant loses business. Ergo Conversion Killer #1.

The remaining intrepid Consumers who brave the friction and complete the journey now rely on the various moving parts to go to work to process the payment. When all moving parts hum along nicely and complete their respective tasks, the payment succeeds. But even if one moving part is down, the payment fails.

In an ideal world, all servers will have 100% availability, all pipes will enjoy non-stop connectivity, and all software will be bug-free – enabling all moving parts to work 24/7/365 and process 100% of payments successfully.

But things are not so hunky dory in the real world. Cost and other constraints cap the uptime of each moving part to around 90%. That means an end-to-end 2FA transaction traversing five moving parts will will succeed only 59% of the time (being 0.9*0.9*0.9*0.9*0.9*100%). Ergo, a credit card payment subject to 2FA has a success rate of only ~60%. Which means, the Merchant loses 40% business. Ergo Conversion Killer #2.

The remaining 40% of 2FA payments fail, which means the Consumer’s account is debited but the Merchant’s account is not credited, and Merchant will refuse to ship / handover the ordered goods. Ergo Blood Pressure Booster #1.

Failed payments fall into a “CyberAbyss” of sorts, which comprises Collection Account of Merchant, Nostro Account of Sender Bank at Scheme Operator, Nostro Account of Beneficiary Bank at Scheme Operator, Internal Collection Accounts at Sender Bank and Beneficiary Bank, Scheme Operator Account, Unintended Beneficiary’s Account, and dozens of other nooks and crannies in the payment value chain.

Some Merchants / Issuers use sophisticated tools and are mindful about Customer Experience. They will be able to ferret out failed payments from the CyberAbyss and reprocess them quickly. Others don’t and won’t, so failed payments will remain stuck in the CyberAbyss for a long time.

Consumers of the first cohort will get their money back in their accounts automatically within a few days. Consumers of the second cohort will be made to run from pillar to post between the Issuer and the Merchant for several months to get a refund. Ergo Blood Pressure Booster #2. Consumers in both cohorts will think twice before hazarding another card payment in future.

In a nutshell, two factor authentication for credit card payments introduces tremendous friction and causes a lot of failed payments, thereby resulting in loss of revenues for Merchants and stress for Consumers. Ergo it’s called a “Conversion Killer” and “Blood Pressure Booster”.

It’s not only me. STRIPE, one of the world’s leading payment processors, reported that 2FA resulted in an overnight conversion drop of 25%.

UPDATE-1

The above was for a credit card payment (also applicable to debit card).

The problem is exacerbated when it comes to FPS, NEFT, IMPS, UPI, etc. Called Account-to-Account Real Time Payments, these digital payments face all the aforementioned challenges encountered by a credit and debit card payment but, in addition, they’re hampered by more problems like leakage and inconsistency of data between the various moving parts.

Take IMPS for example.

Sender may enter a narration for the payment. But as the payment flows through the systems of the Sender’s Bank, Scheme / Payments Service Provider and Receiver’s Bank, the narration – and even Sender’s mobile phone number – may not survive the trip, as you can see from the exhibit on the left. As a result, the Receiver receives wrong / incomplete information. This makes troubleshooting and retrieval of failed A2A RTP payments even harder.

UPDATE-2

In the original post, I said that there are five moving parts in a 2FA card payment. That was a drastic underestimate. The actual figure is 14.

UPDATE-3:

Here’s a thread on payment failure and the ordeal involved in recovering the money:

UPDATE-4:

Here’s a guy whose online payment failed and his bank doesn’t seem to have the tools to ferret it out from the CyberAbyss.

UPDATE-5:

As a result of friction and risk of failed payment introduced by two factor authentication, many people including me who were using credit card for online shopping earlier switched to Cash or Card on Delivery (COD), with the result that use of cash did not decrease.

PayTM and other alternative payments emerged with innovative ways of subventing 2FA, thus increasing adoption of digital payments.

Looking at their exploding popularity, banks and regulators realized that, while it was noble, their traditional thinking “security first, convenience next” failed to resonate with the consumer behavior that people want security but only until they get it. They figured out why IMPS, the 24*7*365 Account-to-Account Real Time Payment system launched by bank consortium NPCI, met with lukewarm reception from the public. Learning their lesson, they went back to the drawing board and launched UPI.

UPDATE-6:

UPI is a frictionless overlay on top of IMPS. It makes one factor implicit by moving it to the payer’s mobile phone. With some sharp implementation practices, some popular payment apps have obfuscated the second factor as well for a vast range of usage scenarios. UPI has virtually eliminated the friction inherent with direct IMPS and NEFT payments. As a result, it has garned tremendous adoption and has taken digital payments usage to new heights in India.

However, according to ET PRIME, UPI still has “too many moving parts” and a “poor architecture” compared to credit card payments.

UPI vs. card payments: A system designed for mass adoption needs to minimise steps, failure points. UPI makes it easy for a merchant to accept payments digitally without an upfront cost of a POS machine. But it fares poorly when compared with a card transaction. This is a consequence of too many moving parts and a poor architecture of UPI.

Also, judging by the number of incidents of UPI fraud we read about in the newspapers almost everyday, UPI seems particularly prone to attack. But it’s undeniably convenient. End of the day, people choose a digital payment product over cash because it’s convenient to make payments with it. While they expect their payments to be safe, nobody uses a payment product because it’s safe.

UPDATE-7:

The original post has a distinctly Indian flavor. That’s intentional – so far, India has been the only trillion dollar economy to mandate two factor authentication for online payments.

But that’s about to change, with European Union stipulating Strong Customer Authentication (SCA) for payments above EUR 30 (US$ 33.79), as a part of the new Payment Services Directive. For the current context, SCA is interchangeable with 2FA.

Conversion is marketing industry jargon for when a website visitor actually buys something. This is a function of (1) Ability to complete the payment and make the purchase (2) Willingness to complete the payment and make the purchase.

The original post concerned itself with #1.

But, when it comes to developed markets, #2 is extremely important. Consumers making discretionary purchases tend to get ticked off and click away when they’re faced with too many steps during checkout. Ergo Amazon patented 1-Click Shopping, a feature that is widely regarded as one of the most important drivers of Amazon’s success.

Leading payment services providers like STRIPE and WorldPay forsee a huge loss of revenues due to SCA on this count.

According to The Washington Post article entitled The Fintech Bubble Floats Toward a $64 Billion Pin:

If consumers were just to think twice – if a smartphone purchase on Amazon took two clicks instead of one – that might indeed be a serious brake on business.

This might seem alarmist to people in emerging markets who keep retrying failed payments until they succeed. Someone I know claims that he’d once made 24 failed attempts to book a Pune-Mumbai Shivneri bus ticket before finally succeeding on the 25th attempt. (Apparently the bus company didn’t know that the payments for 24 seats had failed, so it had kept 25 seats reserved, out of which only one got occupied.)

But the above doomsday scenario sounds extremely plausible to others who have operated in mature markets where customers have dropped a vendor from their shortlists because its proposal had too many typos.

UPDATE-8

Copy-pasting my comment below Finextra article on 1 April 2020:

America’s FFIEC announced 2FA guidelines for online payments in 2005, reissued them in 2012. USA still does not have 2FA for online payments. Sky hasn’t fallen with fraud. RBI mandated 2FA for online payments in India 10-12 years ago. Friction increased. Payments failed. Conversion nosedived. Fraud reduced but at the cost of transactions not happening in the first place. A couple of years ago, RBI-administered NPCI launched UPI, which makes one factor implicit by moving it to the payer’s mobile phone. With some sharp implementations, many popular payment apps obfuscated the second factor as well for a vast range of usage scenarios. As a result, digital payments have become frictionless and adoption has skyrocketed. By now, it should be clear to any regulator that 2FA is a conversion killer and blood pressure booster. If any of them is still pushing through with its mandate, I can’t help believe it’s only to save face.

UPDATE-9

The Economic Times dated 21 November 2020 carries an interesting article entitled Eight banks suffer a higher rate of failure in digital transactions regarding UPI payment failures. Given below is a quick summary of facts and figures from this article (see https://outline.com/fGvENs):

  1. A typical peer-to-peer UPI transaction involves the exchange of real time information between the servers of remitter bank, sponsor bank on UPI network, the NPCI’s server, and the beneficiary account. For merchant transactions, the flow becomes even more complex with an additional settlement layer. “The UPI architecture is complex as it involves real time communications between the servers of up to 5 entities. Any delay in real time information exchange even in one of the layers due to downtimes or network failures can lead to failed (payment)”.
  2. At least eight Indian banks  – mostly public sector banks – suffered a high rate of failure in digital transactions during October 2020. These failures, which are classified as technical failures, occur largely due to server downtimes and network issues within the banks. (This is the context of the terms “failed payment” or “payment failure” in the above original post.)
  3. A payment can fail – in fact be destined for failure – because of insufficient funds, exceeding daily transfer limits, wrong password, and other reasons unrelated to technology. That kind of failure is termed “business failure” and is outside the purview of the above original post.
  4. The technical failure rate of over 3% … is leading to widespread concern in the fintech industry.
  5. State-owned lender Corporation Bank had the highest technical decline rate of 14.8%. (In UK etc., payment schemes like FPS will kick out member banks who fail to maintain a certain minimum success rate. But, in India, such things are politically difficult especially if the said member bank is a public sector bank like Corporation Bank.)
  6. Others with high failure rates include (Public Sector Banks like) Canara Bank with a failure rate of 9.8%, Bank of India with 4.2 %, while the country’s largest mass-lender State Bank of India recorded a rate of 3.7%.
  7. “For a 24&7 payment channel to record elevated failure rates over a prolonged time can lead to pile-up in debit reversal dues and cause reputational risks”.
  8. Private sector banks fared better in comparison, with HDFC Bank, Axis Bank and ICICI Bank all recording failure rates less than 1%. Among large private lenders Kotak Mahindra Bank had the highest failure rate at 2.36% in October. Paytm Payments Bank had the lowest failure rate in the industry at 0.02%.
  9. …ten of the top thirty UPI remitting banks, showed failure rates of over 3%. …the real failure rate could be even higher as “millions of transactions declined due to switching errors” and are not reflected in NPCI’s data set.
  10. Also, a matter of concern for the payments industry is the pile-up of credit reversal dues when the amount gets debited from the remitters’ account but is not credited in the beneficiary’s bank account. SBI in October alone processed 13.16 million debit reversals…

In case the above article is paywalled, please see the print version below.

UPDATE-10

The common man is slowly realizing that 2FA serves the interest of banks, not him. As I highlighted here,

When fraud happens, they go to their banks to get the fraudulent charge reversed. Instead of fulfilling their request immediately, the bank will fob them off by telling them “Only you know PIN / OTP, so you only must have made the payment, get lost”.