Stripe Authentication is an enhanced 3D Secure (3DS) flow that will enable transaction authentication using a verification method available on a cardholder’s mobile devices or laptop, if selected by the cardholder.
Stripe Authentication helps businesses and issuers authenticate online card payments by leveraging verification methods available on the cardholder’s device (e.g., TouchID or FaceID on a smartphone or laptop).
This option will first be presented to the cardholder after they pass through the default 3DS verification flow. If Stripe Authentication is enabled, they will be able to verify future payments faster with your business, as well as with other businesses across the Stripe network, by using the available verification methods.
Cardholders who come across Stripe Authentication will see a Stripe page denoted by "Verify your payments faster next time" or “Confirm this payment”.
Cardholders will always have the option to decline Stripe Authentication, in which case they will be offered the default 3DS verification flow.
Stripe Authentication is currently being trialed on card payments that require authentication. Cardholders might be prompted to authenticate payments using Stripe Authentication in the following situations:
Payments in scope for Strong Customer Authentication (SCA) initiated with a card supporting delegated authentication, which allows Stripe to strongly authenticate cardholders on behalf of the card issuer.
Other payments for which the business is requesting 3DS authentication (e.g., through the API or using a radar rule).
Stripe Authentication utilizes FIDO standards built around public key cryptography. A secure private key on the cardholder’s device (which Stripe cannot access) generates an authentication code which can be used in conjunction with the public key to authenticate the online payment transaction.
The biometric data, including fingerprint and facial scans, used on-device to generate the authentication code is only processed on, and never leaves, the cardholder’s device. Stripe cannot access this biometric data. Cardholders can withdraw consent to storage of payment details—see below for guidance.
When Stripe Authentication is enabled, cardholders will be given the option to provide their consent for Stripe to store their payment method details for use in future transactions that use the same card. This option to consent is given to the cardholder during the checkout flow on a business’s website or app.
Cardholders will have the option to withdraw their consent during each subsequent transaction flow. Consent can also be withdrawn directly using our opt out form. After opting out, any credentials associated with a card will be deleted within two business days.