At first glance, the metal or plastic credit card’s place in the connected economy seems a bit … well, tenuous.
Tucked in the wallet, that tangible rectangle may not see much daylight in an age where the great digital shift has brought us all to transact online, on devices — and tapping phones (loaded with digital wallets) with increasing regularity.
In the connected economy, consumers want to transact across channels without interruption, and with fluidity and flexibility. They want the efficiency of a single ecosystem. A recent PYMNTS study found that some 40 percent of consumers are highly connected, using as many as half a dozen devices to navigate their way through daily tasks and transactions.
The super-connected consumer clearly wants an easier way to manage logins across their many devices. But simply adding another piece of hardware to the mix — especially in the bid to beef up security — seems counterintuitive.
In a nod to the challenge of using offline devices to authenticate users online, Google said this week that it is discontinuing its Bluetooth Titan Security Key, opting instead to only offer devices that have near-field communication (NFC) functionality.
But a new partnership announced on Wednesday (Aug. 11) between passwordless authentication firm Nok Nok and payment card and crypto storage company CompoSecure seeks to turn the metal credit card into tokens, linking account numbers with FIDO standards in a way that gives cards a whole new functionality: Namely, the card itself becomes an authentication tool and universal identifier.
In an interview with Karen Webster, Phil Dunkelberger, CEO of Nok Nok, and Jonathan Wilk, CEO at CompoSecure/Arculus, said the strategic linkup between the two firms brings us even closer to a future of consumers logging on, across channels and multiple devices, without passwords.
Dunkelberger said that, generally speaking, “when you ask a customer to carry a separate device or a separate token, very few customers will be willing to go through that process.”
But with the marriage between cards and tokens, he noted, the effect is analogous to “what happens when you crush a candy bar of pure milk chocolate into a jar of peanut butter — you’ll find something delicious that didn’t exist before.” The usability and allure of both components — in this case, the metal card and the stronger security — are magnified in the combination.
As Wilk said: “When we can attach a FIDO token to a customer’s payment card at the time of issuance, you bring together the PAN (primary account number) and the token in a way that is unique … think of a payments card that can ‘talk’ to all of your connected devices.”
For the banks and the issuers, there’s the added functionality and selling point of turning cards — which they’d be issuing anyway — into security keys. That should provide a tailwind to digital transactions and put those traditional players in a more competitive position against FinTechs and other digital-first or digital-only competitors, such as challenger banks.
Dunkelberger and Wilk maintained that reissuing cards with advanced security and enhanced user experience will generate returns (and increased use) that will outshine the cost to get those cards out in the field.
Reissuance is easy, noted Dunkelberger — users can have their tokens stored in the phone, and if they lose the card, it can be reissued.
“From a flexibility of deployment standpoint, there are a number of ways that allow you to do that,” he said. “The card holds the token, and we can move that dynamically with the backend servers from one capable card to another.”
The Virtual ‘Ignition Key’
At a high level, the executives said, the card is a “virtual ignition key” that authenticates a user across any services or devices.
In terms of the mechanics, the joint efforts to create an “internet ID and payment card” helps meld a personalized identity with a payment form factor that has been around for decades, and is pretty much ubiquitous.
Users are authorized to make transactions wielding the CompoSecure metal cards through an action such as swiping a finger, inputting a PIN or tapping cards to their phones in order to enable NFC-encrypted transaction. Those levels of authorization are customizable at the discretion of the user, said Dunkelberg and Wilk, in a mix-and-match fashion.
As Wilk noted, the token/card combination also has use cases beyond payments. “If you lose your phone, you still have the card as a means to reauthenticate your device and enable a customer to authenticate themselves. And, more importantly, you also have the ability to set up a policy-based rule, or rules, for logging in,” he explained.
A user could mandate that for certain transactions — it’s not just the swipe or biometric/facial recognition that will be required to authenticate the user and implement a transaction. Tapping the card to the back of the phone will also be a necessary, third factor in authentication, Wilk told Webster.
In another scenario, if the card is not within three meters of the NFC device and somebody is trying to log in, said Dunkelberger, the implication is that the card is missing or the device has been stolen or lost, so the transaction won’t go through.
Positive Ripple Effects
The ripple effects of stronger authentication are tangible, said Wilk and Dunkelberger. When it comes to payments, boosting security and introducing tokenization into the process helps to reduce chargebacks and smooth online transactions as we move beyond SMS OTP. Within financial services, the card can serve as a credential for secure transactions.
And within the crypto sphere, the company said in its press release on Wednesday, the Nok Nok’s FIDO token technology will integrate with CompoSecure’s Arculus Key card, an “air-gapped” storage solution that connects to the Arculus Wallet mobile app via an encrypted NFC connection.
Wilk told Webster that the “air gapped” status, where data are stored offline, boosts crypto security. Crypto exchanges need better authentication capabilities, said Dunkelberger. Expanding protections with FIDO to CompoSecure’s Arculus platform, tied to crypto storage, requires the same biometrics, PIN and tap functions to help combat the billions of dollars of fraudulent activity that have been a huge challenge for crypto firms in recent years, he said.
Looking ahead, Wilk and Dunkelberger said the strategic partnership will start to work with issuing partners in pilots during the fourth quarter, rolling out the tokenized cards next year.
As Dunkelberger told Webster, in the world of money, there’s no better understood existing capability than a credit card or debit card. With the partnership between Nok Nok and CompoSecure, “if you know how to use a credit card and you know how to do online commerce and banking [across devices], you can now make it more secure — without changing any of your behaviors,” he said.