How Authentication Works
Authentication follows a defined sequence of steps that must occur before a user gains access or a transaction proceeds. Each step narrows the field of possible impostors, culminating in a confident identity decision. Understanding the flow helps merchants and developers identify where vulnerabilities can enter.
Identity Claim
The user presents an identifier — a username, email address, or card number. This claim alone proves nothing. It simply tells the system who is attempting to authenticate, opening the verification process.
Credential Submission
The system requests one or more proofs of identity. The user submits credentials: a password, a biometric scan, a one-time passcode, or a cryptographic key stored on a trusted device.
Verification
The system compares submitted credentials against stored records or cryptographic proofs. In payment authentication, this check may involve the card issuer's access control server, a 3D Secure directory server, or a FIDO2 relying party.
Risk Assessment
Modern authentication systems layer a dynamic risk score on top of credential validation. Signals such as device fingerprint, IP geolocation, transaction velocity, time of day, and behavioral patterns influence whether the session proceeds silently or escalates to a challenge.
Access Decision
If credentials are valid and risk is acceptable, access is granted or the transaction is passed to authorization. If risk is elevated, the system triggers step-up authentication — requesting an additional factor — before permitting the action.
Why Authentication Matters
Authentication failures are the root cause of the majority of payment fraud and data breaches worldwide. The financial and reputational consequences of weak authentication far outweigh the implementation cost of getting it right.
According to Verizon's 2024 Data Breach Investigations Report, more than 80% of hacking-related breaches involve the use of lost, stolen, or weak credentials — making authentication the single most impactful control in any payment security architecture. IBM's Cost of a Data Breach Report 2023 found that breaches originating from compromised credentials carried an average total cost of $4.45 million, the highest of any initial attack vector. Separately, Javelin Strategy & Research estimated that account takeover fraud cost U.S. consumers $11.4 billion in 2022, a figure driven almost entirely by the exploitation of weak or reused passwords across payment accounts.
Regulatory requirement: PSD2 Strong Customer Authentication
Under the EU's PSD2 directive, Strong Customer Authentication (SCA) is mandatory for most online card transactions in the European Economic Area. SCA requires at least two independent factors from different categories. Transactions that fail SCA must be declined by the issuer. Non-compliance exposes merchants to regulatory penalties and elevated decline rates.
Authentication vs. Authorization
Authorization and authentication are the two foundational pillars of payment access control, yet they are routinely conflated. Getting the distinction right is essential for system design, compliance reporting, and incident response. Authentication always comes first — authorization is impossible without it.
| Dimension | Authentication | Authorization |
|---|---|---|
| Core question | Who are you? | What are you allowed to do? |
| Sequence | First — before any access | Second — after identity is confirmed |
| Data involved | Credentials, biometrics, tokens | Permissions, roles, spending limits |
| Payment example | Cardholder completes a 3DS2 challenge | Issuer approves or declines the charge amount |
| Failure outcome | Login blocked; transaction halted before routing | Action denied; insufficient permissions or funds |
| Key standards | FIDO2, OAuth 2.0, 3DS2, SAML | OAuth 2.0 scopes, RBAC, spending controls |
A transaction can never be authorized without prior authentication. Systems that skip authentication and rely solely on authorization controls are structurally vulnerable to identity spoofing attacks.
Types of Authentication
Multiple authentication mechanisms exist across payment systems, each with distinct security profiles, user experience trade-offs, and regulatory standing. Choosing the right type — or combination — depends on the risk profile of the action being protected.
Password-based authentication is the most widely deployed method. Users supply a secret string known only to them. It is low-friction to implement but vulnerable to phishing, credential stuffing, and brute-force attacks at scale.
Multi-factor authentication (MFA) combines two or more independent factors from different categories. Even if one factor is compromised — such as a leaked password — the attacker is blocked without the second. MFA is the minimum recommended standard for any account with access to payment data or configuration.
Biometric authentication uses physiological characteristics — fingerprint geometry, facial recognition, iris scans — or behavioral patterns to verify identity. It is increasingly the default in mobile banking and payment apps, offering both high assurance and minimal user friction.
3D Secure is the payment card industry's dedicated cardholder authentication protocol. Version 2 supports risk-based flows, passing low-risk transactions frictionlessly while issuing a step-up challenge — such as a biometric or OTP — for higher-risk activity. It is the primary authentication mechanism mandated under PSD2 SCA.
Token-based authentication issues a cryptographic token — a JWT, TOTP, or hardware OTP — after initial credential verification. Subsequent requests present the short-lived token rather than raw credentials, limiting exposure over the network and simplifying session management.
Passkeys (FIDO2/WebAuthn) represent the emerging passwordless standard. They use asymmetric cryptography anchored to a registered device, eliminating shared secrets entirely. Because the private key never leaves the device, phishing attacks that steal passwords are structurally impossible against passkey authentication.
Best Practices
For Merchants
- Enforce MFA on all admin, dashboard, and back-office accounts. Credential stuffing campaigns routinely target merchant portals where refunds, configuration changes, and payout settings can be modified. A single compromised password should never be sufficient.
- Implement 3DS2 for all card-not-present transactions. Beyond fraud reduction, successful cardholder authentication shifts chargeback liability to the card issuer, directly protecting your revenue from friendly fraud disputes.
- Adopt risk-based authentication to preserve conversion. Trigger step-up challenges only when behavioral and contextual signals warrant it. Frictionless flows for low-risk transactions protect conversion rates while reserving friction for genuine threats.
- Monitor failed authentication events in real time. A sudden spike in failed login attempts is an early indicator of a credential stuffing or brute-force campaign. Automated alerting enables rapid response before accounts are compromised.
- Use tokenization to minimize credential exposure. Replacing raw card data with surrogate tokens means a compromised database yields nothing usable to an attacker — authentication credentials and card data should never coexist in the same store.
For Developers
- Never store passwords in plaintext or with reversible encryption. Use memory-hard hashing algorithms — bcrypt, scrypt, or Argon2id — with per-user salts and appropriate work factors tuned to your hardware.
- Implement rate limiting, CAPTCHA, and lockout policies. Restrict failed authentication attempts per IP address and per account to blunt brute-force and credential stuffing attacks without blocking legitimate users through excessive lockouts.
- Validate session tokens server-side on every authenticated request. Client-side validation is trivially bypassed. All access decisions must be enforced at the server, with tokens verified against a current, unexpired, unrevoked state.
- Use short-lived access tokens paired with refresh token rotation. Long-lived tokens expand the blast radius of a leak. Rotating refresh tokens on each use ensures a stolen token is invalidated the moment the legitimate user next authenticates.
- Emit structured authentication logs with full context. Record timestamps, IP addresses, device identifiers, user agents, and authentication outcomes for every attempt. These logs are foundational for incident response and PCI DSS audit trails.
Common Mistakes
Relying on single-factor authentication for sensitive actions. A password alone is insufficient for high-value operations — changing bank account details, issuing bulk refunds, rotating API credentials, or modifying fraud rules. Step-up re-authentication should gate any action with significant financial or security consequences.
Treating authentication as a one-time event per session. Session hijacking occurs after login, not during it. Continuous or step-up re-authentication — triggered by behavioral anomalies or privilege escalation attempts — catches attackers who have stolen a valid session token rather than the original credentials.
Leaking user enumeration data through error messages. Displaying "incorrect password" versus "account not found" as distinct errors tells attackers which email addresses are registered. Use a single generic message — "incorrect email or password" — for all failed authentication attempts to prevent user enumeration.
Leaving API endpoints unauthenticated while securing the UI. A common and critical oversight: the web interface requires login, but the underlying API routes accept unauthenticated requests from anyone with the correct endpoint path. Every route that touches payment data must enforce authentication, regardless of how it is accessed.
Skipping authentication bypass scenarios in security testing. Logic errors in authentication flows — trusting client-supplied user IDs, skipping checks on non-standard HTTP methods, or mishandling redirect parameters — are among the most frequently found critical vulnerabilities in payment platform penetration tests. Explicit bypass scenarios must be part of every security test plan.
Authentication and Tagada
Authentication is foundational to how Tagada secures its payment orchestration layer across multiple processors, acquirers, and payment methods. Every API call to the Tagada platform is authenticated using scoped API keys, and sensitive administrative operations require elevated verification to prevent unauthorized configuration changes.
When connecting a new processor or acquirer through Tagada's orchestration layer, scope your credentials to the minimum permissions required for that integration. Tagada's encrypted credential vault stores processor secrets at rest, so raw credentials are never transmitted after initial setup. Combine this with IP allowlisting on your API keys to ensure that even a leaked key cannot be used from an unauthorized network.