3D Secure 2.0: How banks moved from OTP to behavioral biometrics

[BadB]

An overview of the transition from simple two-factor authentication to real-time risk assessment

Introduction: The End of SMS Codes​

Just five years ago, "VBV" (Verified by Visa) or "Mastercard SecureCode" meant one thing: entering a one-time code from an SMS. It was a simple, straightforward, but vulnerable mechanism. Today, in 2026, 3D Secure 2.0 is not just authentication, but a sophisticated real-time risk assessment system based on behavioral biometrics, geolocation, device, and transaction context.

Banks no longer ask, "Are you the cardholder?"
They ask, "Does this look like a legitimate cardholder making a typical purchase at this time of day?"

In this article, we'll explore how 3D Secure 2.0 works, why OTPs have become the exception rather than the rule, and how fraud engines make decisions in milliseconds —without human intervention.

Part 1: From 3DS 1.0 to 3DS 2.0 – The Evolution of the Standard​

3D Secure 1.0 (2001–2016)​

• Required mandatory entry of a password or OTP,
• Redirected the user to the banking page,
• Created a bad UX: high bounce rate (up to 40%),
• Vulnerable to phishing and MITM attacks.

3D Secure 2.0 (2017–present)​

• Introduced in response to the requirements of PSD2 (EU) and SCA (Strong Customer Authentication),
• Supports two scenarios:
  • Frictionless Flow - no user interaction,
  • Challenge Flow - with OTP, biometrics, or in-app verification.
• Transfers up to 100+ parameters from the merchant to the bank.

Key shift:
Authentication → Risk assessment.

Part 2: 3DS 2.0 Architecture – What's Happening Behind the Scenes​

When you click "Pay," a complex process begins:

Merchant → Acquirer → Directory Server → Issuer Bank

At each stage, extended data is transmitted:

Category	Examples of parameters
Device	OS, browser, screen resolution, timezone
Net	IP geolocation, proxy detection, ISP
Behavior	Mouse movement, typing speed, session duration
Transaction	Amount, currency, merchant category, item type
History	Previous transactions, velocity, average spend

This data is analyzed by the bank’s AI model in real time.

Part 3: Behavioral Biometrics – The Invisible Guardian​

The heart of 3DS 2.0 is behavioral biometrics. Banks collect and analyze:

Mouse dynamics​

• Speed of movement,
• Curvature of the trajectory,
• Time between clicks.

Keyboard dynamics​

• Keystroke time,
• CVV input rhythm,
• Errors and corrections.

Mobile behavior​

• Tilt devices,
• Pressure force,
• Scrolling templates.

Fact:
A unique "typing style" can be identified with 98.7% accuracy after 200 presses.

This data is compared with the cardholder's profile built up over years of use.

Part 4: Frictionless vs. Challenge Flow – How the Decision Is Made​

Frictionless Flow (no confirmation)​

• Triggers if the risk is low,
• Example:
  • $20 purchase on Steam at 2 AM EST,
  • IP = Miami,
  • Device = known,
  • Behavior = typical.
• Solution: Instant approval.

Challenge Flow (with confirmation)​

• Triggered when suspected,
• Example:
  • Purchase $500 for a new website,
  • IP = Germany (owner is from the USA),
  • Device = new,
  • Behavior = too fast.
• Solution: Request OTP, biometrics or verification in the banking app.

Statistics (2026):

• 85% of transactions are processed in Frictionless Flow,
• 15% — в Challenge Flow.

Part 5: Why "Non-VBV" is a Myth​

Many merchants still offer "Non-VBV" cards. But in 2026:

• 75% of cards support 3DS 2.0,
• "Non-VBV" actually = Auto-VBV,
• These cards only work in Frictionless Flow,
• After the first transaction or suspicious activity, they are transferred to Challenge Flow.

Field data:

• 70% of "Non-VBV" cards are actually Auto-VBV,
• The trust window closes 1-2 hours after the first transaction.

Part 6: How Fraud Engines Use 3DS 2.0​

Modern systems (Forter, Riskified, Stripe Radar) integrate 3DS 2.0 data into their models:

Signal	Weight in the model
IP ↔ map country
Behavior ↔ Historical Profile
Time of day ↔ typical behavior
Device ↔ known
Amount ↔ average bill

If at least two signals are in the red zone, Challenge Flow is inevitable.

Part 7: Consequences for Carders​

For those involved in carding, 3DS 2.0 means:

1. It's impossible to bypass a 3DS without OTP - even with perfect OPSEC,
2. The first transaction is the most important one - it determines whether the card will remain in Frictionless,
3. Behavior must be human - no Cookie-Robot without pauses,
4. Geo-consistency is mandatory - IP, time zone, address must match.

Survival Strategy:
Focus on low-risk platforms (Steam, Razer Gold), where Frictionless Flow works most often.

Conclusion: The Future of Authentication is Invisible​

3D Secure 2.0 isn't just a technology. It's a philosophical shift:
Security shouldn't interfere with convenience.

Banks no longer expect you to prove anything. They observe, analyze, and predict. And if your behavior matches expectations, you won't even notice you've been authenticated.

For carders, this means one thing:
the game has changed. The winner isn't the one who beats the system, but the one who becomes part of it — invisibly, naturally, and humanely.

Final thought:
In the world of 3DS 2.0, the best disguise is not a fake, but an imitation of normality.
But remember: even the most perfect imitation is eventually revealed.

Stay aware.
And remember: true security begins with respecting the system, not trying to break it.