SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom
International Women’s Day
392 opinions Read now

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Untitled design 97
#
Fintech
#
MarTech
#
Commerce Systems

The authentication paradox: securing payments without human presence

Thu, 26th Feb 2026
By Ivan Vukelikj, Product Manager Payment and Identity, G+D Netcetera

Every major advance in payment security has relied on one assumption: a human is present. Chip and PIN verified the cardholder was physically there. 3-D Secure confirmed someone could receive a one-time code. Biometrics proved it was the right person. Now, as AI agents begin initiating transactions on behalf of consumers, that assumption breaks down. Stronger authentication is needed precisely when there is no one there to authenticate.

This is the authentication paradox at the heart of agentic commerce. The same autonomy that makes AI agents useful - acting without constant human supervision - creates a verification gap that existing security models were not designed to address.

The gap in current models

Consider how authentication works today. A customer shops online, adds items to a basket, and proceeds to checkout. The payment triggers a 3-D Secure challenge. The customer receives a code, enters it, and the transaction completes. The entire flow assumes human attention at the critical moment.

Now imagine an AI agent handling the same journey. The customer has delegated authority: "Find me the best price on noise-cancelling headphones and buy them if it's under $300." The agent searches, compares, selects, and initiates payment. When the authentication challenge arrives, there is no human waiting to respond. The agent either fails the transaction or bypasses the security step entirely. Neither outcome is acceptable.

Authentication is not the problem to remove

One response to this challenge is to argue for frictionless transactions - removing authentication steps to enable seamless agent activity. This misses the point. Authentication exists because payment fraud is real, persistent, and increasingly sophisticated. The answer is not less security but different security: verification models designed for machine-to-machine trust.

The payments industry has solved similar problems before. Tokenisation replaced card numbers with secure references. Risk-based authentication reduced friction for low-risk transactions while maintaining scrutiny for unusual activity. The infrastructure evolved without abandoning the principle that every payment should be authorised and intentional.

Towards delegated trust

Resolving the authentication paradox requires rethinking who - or what - can be trusted to authorise a payment. The emerging model centres on delegated trust: a human pre-authorises an agent to act within defined boundaries, and the payment infrastructure verifies that the agent is operating within those boundaries at transaction time.

This demands several capabilities working together. Identity systems must support delegation chains, linking an agent's actions back to a verified human principal. Authentication must shift from point-in-time challenges to continuous validation of agent credentials and behavioural patterns. Risk models must incorporate new signals: Is this agent recognised? Is it acting within its permitted scope? Does the transaction pattern match the delegated authority?

The human remains sovereign

What makes this model workable is that human control never disappears - it shifts upstream. Instead of approving each transaction, the consumer approves the agent, defines its limits, and retains the ability to revoke access. The authentication happens at the delegation layer, not the transaction layer.

This mirrors patterns already familiar in enterprise security: service accounts with defined permissions, API keys with scoped access, identity federation across systems. The difference is applying these concepts to consumer payments, where the stakes include both fraud prevention and regulatory compliance.

Infrastructure implications

The technical foundations for delegated trust largely exist. EMV 3-D Secure can be extended to support agent credentials. Tokenisation platforms can issue agent-specific tokens with embedded constraints. Digital identity frameworks are already exploring verifiable credentials and consent management. The challenge is integration: connecting these components into coherent flows that satisfy both security requirements and the speed that autonomous commerce demands.

The authentication paradox is real, but it is not insurmountable. Payments have always evolved by finding new ways to verify trust without sacrificing security. Agentic commerce is the next iteration of that evolution. The organisations that resolve this paradox first - building infrastructure where autonomous agents can transact securely within human-defined boundaries - will define how the next generation of digital commerce operates.

Related stories
Melissa podcast probes data quality, risk & identity
Fortinet unveils FortiOS 8.0 with AI & quantum-safe
GenAI drives patient data policy breaches in healthcare
Kong unveils AI Connectivity roadmap for unified control
Stellar Omada lands HMRC testing deal worth GBP £10m

Top stories

SonicWall receives 5-Star Award in 2026 CRN Partner Program Guide
Keeper & Williams F1 launch identity-first security push
Google report warns identity is weak link in cloud
Sonicwall named a leader and fast mover in the 2026 GigaOm radar for enterprise firewalls
Cohesity boosts AI data resilience with new cloud tools