3D Secure (3DS), a standard developed by EMVCo. for online card-not-present transactions, aims to enhance security in such scenarios. In its 3DS 2.2 version, the Fast Online Identity (FIDO) authentication mechanism was introduced to ensure identity accuracy, with merchants acting as FIDO authentication entities. However, this approach may lead to issuing banks receiving potentially inaccurate authentication results, thereby increasing the risk of identity fraud.
This study proposes the 3DS-FIDO framework to enhance the overall registration and transaction processes. In this framework, the user’s FIDO authenticator must first complete physical card binding through the EMV card authentication protocol. Subsequently, for each transaction, the issuing bank verifies the user’s FIDO identity. This ensures dual verification via 3DS and FIDO by the bank, eliminating the inconvenience for users of binding FIDO credentials with individual merchants. It also reduces the risk of identity fraud. Finally, we conduct a security analysis of 3DS-FIDO and demonstrate that the proposed framework effectively resists various attacks.
This study significantly enhances identity verification security within 3DS. Through the binding of physical cards with authenticators, the authenticator is effectively validated as a representation of the legitimate physical card. Compared to the original 3DS process, this framework offers superior security and effectively mitigates the occurrence of online card-not-present fraud.