Stripe Delegated Authentication is an enhanced 3D Secure flow that will enable your customers to authenticate using a verification method available on their mobile devices or laptop, if they choose to do so.
Cardholders may come across a payment authentication experience with Stripe denoted by, "Verify your payments faster next time". This is part of Stripe Delegated Authentication, a service used by card issuers to perform payment authentication.
Stripe Delegated Authentication helps card issuers (e.g., banks) authenticate online card payments by leveraging biometric technology on the cardholder’s device (e.g., TouchID on a phone or laptop).
This option will first be presented to the cardholder after they pass through the default 3D Secure verification flow. If they agree to use Stripe Delegated Authentication, they will be prompted to authenticate using biometric technology on any subsequent payments made via Stripe.
Cardholders will always have the option to decline biometric verification, in which case they will be offered the default 3D Secure verification flow. If they have any questions about the authentication experience, they can reach out to their card issuer for help.
Stripe Delegated Authentication utilizes FIDO standards built around public key cryptography. A secure private key on the cardholder’s device (which Stripe cannot access) generates an authentication code which can be used in conjunction with the public key to authenticate the online payment transaction.
The biometric data, including fingerprint and facial scans, used on-device to generate the authentication code is only processed on, and never leaves, the cardholder’s device. Stripe cannot access this biometric data. You can withdraw consent to storage of payment details - see below for guidance.
Once a transaction with a supported merchant and issuer is authenticated via existing means (e.g., 3D Secure), cardholders will be given the option to provide their consent for Stripe to store their payment method details for use in future transactions that use the same card. This option to consent is given to the cardholder during the checkout flow on a merchant’s website or app.
Cardholders will have the option to withdraw their consent during each subsequent transaction flow. Consent can also be withdrawn outside of a transaction flow: opt-out here. After opting out, any credentials associated with a cardholder’s card will be deleted within 2 business days.