...
Bringing together a best practice based on existing implementations across open banking markets is difficult to achieve. However, and despite the variance between EU countries, best practices can be achieved based on a :
A principles-based approach, which will help guide implementers to incorporate the correct features that provide both multi-factor authentication and proofs-of-authentication.
...
Relevant technical controls that provide guidance on specific implementation approaches to ensure that SCA is performed in a sufficiently secure context.
Emerging technologies and standards are also described and how they can be leveraged in implementing SCA.
This page is therefore provided as guidance for ecosystem participants, to help make standardised choices in extending authentication options as the adoption of open finance is extended in the market, with the goal of creating an extensible ecosystem for SCA.
2. Principles
The following are the principles on which the implementation of User authentication should be based.
Control
Principle | Rationale | Definition | Notes | 1 | 2 |
|---|
3. Controls
| 1 | User authentication is implemented using multi-factor authentication where two factors are required to authenticate a given User | Multi-factor authentication is an existing best practice for User authentication that is prevalent in most open banking implementations. |
| 2 | Multi-factor authentication is based on the attributes of Inherence, Knowledge and Possession | Inherence, Knowledge and Possession are established factors and can be readily supported in the majority of implementations of multi-factor authentication. |
| 3 | A given User authentication operation is uniquely identified | An audit trail should be provided to link a User authentication operation with an action in the open finance ecosystem. Establishing this link will provide solid foundations for activities such as fraud prevention and dispute resolution. |
| 4 | A given User authentication operation is correlated with a given data sharing or service initiation consent | |
| 5 | Open standards are preferred to a bespoke implementation | Using open standards is a recognised means to create an interoperable and extensible ecosystem. Organisation should look |
3. Controls
The following controls should be applied when implementing User authentication for use in the open finance ecosystem.
These controls are intended to be prescriptive, but not exclusive. Other controls, such as the OWASP Mobile Top 10 should be considered, together with existing organisational controls that govern mobile and internet banking.
Control | Rationale | Principles | |
|---|---|---|---|
| 1 | Mobile apps that are used to authenticate Users are installed from an authorised and certified source | ||
| 2 | Mobile apps that are used to authenticate Users verify they are installed on a mobile operating system version for which they are approved | ||
| 3 | A given installation of a mobile app is correlated to the signature of mobile device on which it is installed | ||
| 4 | Private keys created on a mobile device for purposes of authentication are stored in the device security module | ||
| 5 | A biometric gesture is used to authenticate the User | ||
| 6 | A given authentication operation provides proofs-of-authentication that can be verified by a relying party based on a shared public key | ||
| 7 | A given authentication operation accepts an input parameter that uniquely links a given authentication operation to a given consent or consent signature |
...