Versions Compared

Version Old Version 9 New Version 10
Changes made by

Chris Wood

Chris Wood

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Strong Customer Authentication (SCA) is a generic term used to describe multi-factor user authentication supported by proofs-of-authentication, which came to prominence in the open banking due to its inclusion as a Regulatory Technical Standard (RTS) under Payment Service Directive 2 (PSD2) in the European Union (EU). It sets the requirements for authenticating a Payment Services User - the account-holding customer who is making a payment - that must be adhered to in local law. There are two key provisions that were heavily focused on in creating standards for open banking:

  • An authentication code indicating permission to make a payment must be based on at least two authentication factors: “the authentication shall be based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code.” (Article 4.1).

  • The concept of “dynamic linking”, which requires that the the payee and amount are inputs to the creation of authentication codes that indicate proofs that payment has been authorised by the User (Article 5).

SCA is therefore very strongly allied to multi-factor authentication, and specifically outlines the acceptable factors, namely:

  • Inherence: “Something you are” - a biometric credential indelibly linked to you.

  • Knowledge: “Something you know” - a secret known to you and only you.

  • Possession: “Something you have” - A device that can only be accessed and activated by you.

However, PSD2 is a directive and therefore had to be interpreted in local law by different EU jurisdictions. SCA therefore has different implementations across the EU, and the dynamic linking requirement is manifested in a number of different ways. The vast majority of implementations for open banking APIs involve the mobile banking app belonging to a bank, but there are two inherent limitations in this approach:

...

Bringing together a best practice based on existing implementations across open banking markets is therefore difficult. However, despite the variance between EU countries the spirit of the RTS can be transposed into multiple, relevant protocols for User authentication that provide an implementation of multi-factor authentication and proofs-of-authentication. At the time of writing the options considered are:

  • FIDO2

  • Passkeys

  • OpenID for Verifiable Credentials

  • Secure Payment Confirmation

The protocols and implementations included in this page can help provide multi-factor authentication and proofs-of-authentication for participants in an open finance ecosystem. This page is provided as guidance for ecosystem participants, to help them make informed choices in extending authentication options as the adoption of open finance is extended in the market.

2. FIDO2

FIDO2 is a suite of protocols designed to offer strong proofs-of-authentication while eliminating the reliance on passwords. Unlike app-based biometric authentication it provides proofs-of-authentication based on providing an Authentication Assertion, which is an object signed by a private key resident on a given device. The object signature can be verified by using a corresponding public key, which is held by the Webauthn Relying Party following an enrolment ceremony. Authentication Assertions can also complement FAPI, as the Assertion can be carried in Authorisation Code flow using a custom claim or a standard argument like login_hint.

...

OpenID for Verifiable Credentials is a new protocol that extends OpenID to allow presentations of credentials on behalf of users. It allows multiple, limited scope credentials to be minted that can be used for specific use cases. Examples abound, including dedicated credentials for appliances, vehicles, or specific merchants, or combining several credentials to authorise access to a given resource, such a having both club membership and a payment credential to access premium features at the gym. It is one of the standard proposed to enable the EU Digital Wallet.

...

Applying SCA in this context requires more development, however, as the mechanism for credential retrieval from a wallet has yet to be formally standardised. Reference implementation Standards and reference implementations for the EU Digital Wallet are currently being built.

...