The world of payments is evolving into a more digital and contactless form. Whereas consumers enjoyed the human interaction part of the payment process up until a few years ago, they now want everything to be quick and frictionless. PayPal is trying to establish themselves as a player in this segment by introducing their One Touch payment solution. Unfortunately, this is not an innovative feature per se, although it might make things slightly more convenient.
PayPal One Touch – Convenience & Security Don’t Mix Well
On the surface, PayPal One Touch sounds like a pretty solid solution for facilitating payments through the platform. What One Touch does is allowing PayPal users to pay automatically for subsequent orders after their first login, without having to go through the login process itself every time. In a way, this would tie the device used for the payment to the owner, and use it as some form of authentication.
However, this also creates a major security risk for PayPal users. Forcing users to log in just once is convenient, but it also means that any future purchase made from that device will not require the user to log in again. To some people, this sounds like a good solution to get rid of the username and password scenario, but there are some drawbacks to this concept as well.
PayPal’s Head of Products and Engineering Bill Ready stated:
“One Touch is one of the biggest changes to online shopping since PayPal pioneered digital payments more than a decade ago. Unlike new checkout tools that require a login and password, once a customer opts in, One Touch authenticates customer credentials for up to six months so that people don’t need to even log in to check out.”
By not requiring PayPal users to log in for every subsequent purchase, there is no way to differentiate between legitimate or fraudulent payments made. For example, if a user pays for all of their purchases on a computer, what is stopping a hacker from remotely accessing the computer and making a One Touch payment to his own account?
Even mobile devices are not same from harm in this scenario either, as the number of malware infections is on the rise. This threat is of particular worry to mobile users, as they are the most likely group to get infected with third-party software or advertisements. Furthermore, most of these types of malware can operate without the end user even noticing something is wrong.
Keeping in mind how One Touch has been available for more than a year on mobile devices, as well as 16 markets around the world having access to a web-based version, security is of the utmost importance for PayPal. That being said, this entire concept seems to be a bit flawed from the start, as far as security is concerned at last.
Blockchain-based Authentication is the Future
The future of payments lies in the world of authentication, that much seems to be certain. But there are so many different ways users can be authenticated, and storing one’s verification on the same device for up to six months might not be the most secure solution there is today.
Blockchain technology, on the other hand, could be used by PayPal – and other companies – to issue an authentication token. Said token would then be communicated to the payment processor’s server, and once validated, will allow the payment to occur. Plus, issuing such a token would enable cross-platform compatibility for users, which would make it even more convenient as well.
This entire process could work as follows: the application or platform created a signed authentication request, which is sent to the user. The device owned by the user will verify the request authenticity, and compiles the necessary information for an authentication response.
Signing the authentication response – by using a private key, similar to how Bitcoin works – and sending it back to the application or platform server is the next step. As part of this response message, there is the original authentication request, as well as the user’s device authentication response.
It is then up to the application or platform server – preferably a decentralized solution – to validate the return request, and see whether or not the data matches. Assuming this is the case, the user will then be logged in to make the payment, without entering a username or password along the way.
From a security point of view, this solution makes a lot of sense. Issuing tokens over the blockchain is easy to do, and the technology is available to anyone in the world. More importantly, the end user controls their private key to sign the authentication request, which can be stored on any of their devices and even encrypted with a password if they choose to do so.
What are your thoughts on PayPal One Touch? Should they use blockchain technology to make the concept safer? Let us know in the comments below!
Images courtesy of PayPal, Shutterstock