FinTech architecture, A.I and overhauling fraud

Case Study: Strengthening Visa’s 3DS Authentication Through Biometric and WebAuthn Integration

Overview

Visa engaged our team to modernise and harden their 3‑Domain Secure (3DS) authentication flow by introducing native biometric authentication and WebAuthn-based keypass validation. The goal was to create a frictionless, high‑assurance authentication experience that could be embedded across issuer, merchant, and ACS (Access Control Server) journeys — all while meeting the stringent security, scalability, and compliance expectations of a global fintech leader.

The engagement required a full end‑to‑end architectural redesign, spanning mobile, web, backend services, and identity layers. The solution was delivered using a cloud‑first Azure architecture, with a strong emphasis on non‑functional requirements (NFRs), zero‑trust principles, and AI‑assisted coding to accelerate delivery without compromising quality.

Business drivers

  • Fraud reduction: Strengthen step‑up authentication during 3DS challenges.
  • User experience: Replace OTP/SMS flows with native biometrics (Face ID, Touch ID, Android Biometrics).
  • Standards alignment: Adopt WebAuthn and FIDO2 to future‑proof authentication.
  • Global scalability: Support peak transaction volumes across multiple regions.
  • Regulatory compliance: Align with PSD2, SCA, and Visa’s internal security frameworks.

Key activities delivered

1. Architecture & solution design

  • Multi‑layered authentication architecture: Combined native biometrics with WebAuthn public‑key cryptography to secure 3DS challenges.
  • End‑to‑end 3DS challenge flow: Defined issuer, merchant, and ACS interactions, including device binding and risk‑based routing.
  • Cloud‑first Azure reference architecture:
    • Azure API Management for secure API exposure and throttling.
    • Azure Kubernetes Service (AKS) for scalable microservices.
    • Azure Key Vault for secrets and key management.
    • Azure Front Door for global routing, WAF, and DDoS protection.
  • NFR definition: Performance, latency budgets, availability targets, RTO/RPO, security posture, observability, and compliance.

2. Biometric & WebAuthn integration

  • Native biometrics: Implemented platform authenticators (iOS LocalAuthentication, Android BiometricPrompt) for in‑app 3DS challenges.
  • WebAuthn for browser flows: Enabled cross‑platform keypass creation and challenge signing for web‑based 3DS journeys.
  • Keycloak extension: Built custom SPI modules to support FIDO2 credential registration, attestation validation, and challenge verification.
  • Device binding strategy: Ensured cryptographic keys remain tied to the user’s trusted device, reducing account takeover risk.

3. End‑to‑end 3DS flow engineering

  • Biometric‑first challenge flow: Implemented a new ACS challenge path that triggers biometric authentication instead of OTP.
  • Risk‑based decision engine: Determined when to invoke biometrics versus frictionless approval based on transaction risk signals.
  • Telemetry & fraud analytics: Integrated event streams into Visa’s risk models and fraud detection platforms.
  • Backward compatibility: Maintained support for legacy 3DS flows for issuers not yet migrated to biometrics/WebAuthn.

4. AI‑assisted delivery

  • AI‑assisted coding: Used AI tools to accelerate development of WebAuthn ceremony handlers, Keycloak SPI extensions, and API contracts.
  • Test automation: Generated unit and integration test scaffolding with AI assistance, improving coverage and reducing manual effort.
  • Architecture & documentation: Leveraged AI to draft architectural diagrams, threat models, and NFR matrices, ensuring consistency and faster iteration.

5. Testing, hardening & certification

  • Security testing: Performed penetration testing, FIDO2 conformance testing, and 3DS certification exercises.
  • Performance & scalability: Conducted large‑scale load tests simulating peak global transaction volumes across multiple Azure regions.
  • Latency optimisation: Tuned AKS autoscaling, caching, and API gateways to meet strict latency requirements (e.g. < 300ms for challenge flows).
  • Operational readiness: Delivered runbooks, dashboards, alerting rules, and incident workflows for production operations.

End‑to‑end authentication flow (simplified)

  1. Payment initiation: Cardholder initiates a payment; the merchant triggers a 3DS challenge.
  2. Risk evaluation: The ACS evaluates transaction risk and determines that a biometric challenge is required.
  3. Challenge delivery: A challenge request is sent to the user’s device (mobile app or browser) via the 3DS SDK / web client.
  4. Biometric prompt: The user is prompted to authenticate using Face ID, Touch ID, or Android Biometrics.
  5. Challenge signing: The platform authenticator signs the WebAuthn challenge using the device‑bound private key.
  6. Assertion validation: The signed assertion is returned to the ACS and validated via the Keycloak WebAuthn module.
  7. Authentication approval: The ACS approves the authentication and returns a positive result to the merchant.
  8. Telemetry & analytics: Events and risk signals are logged and fed into Visa’s fraud analytics pipeline.

Outcomes & impact

  • Reduced friction: 60–80% reduction in step‑up friction compared to OTP‑based flows, improving