...
It is imperative in these circumstances that the LFI browser channel has been optimized for mobile browsers and device types.
The following alternative experience MUST be implemented by LFIs to allow customers to use their mobile banking app to complete Authentication and Authorization:
The LFI MUST support a web-based landing page that opens on redirection with a Call to Action (CTA) to trigger an interaction using the User’s mobile banking app.
The CTA provided on the page must be:
For non-mobile devices, a QR Code that can be scanned by the User. Direction must be displayed that indicates to the User that they must scan the QR Code with a device that has the LFI app installed.
For mobile devices without the LFI app installed, a CTA that enables the User to download the app from the relevant app store.
The QR Code displayed MUST be scannable directly by any mobile device camera and resolve into a deep link which will invoke the LFI mobile app on that device. The deep link will result in the User being prompted to complete Multi-Factor Authentication and be presented with a screen that allows them to complete consent authorization.
Where the CTA results in the User installing the LFI mobile app, the LFI must inform the User that they may have to reinitiate the request from the TPP, as the delay introduced in installing and setting up the LFI app is likely to expire the authorization window set by the TPP.
The LFI MUST provide the means for the User to abandon handoff to a mobile device and instead choose to complete Authentication and Authorization using the LFI web channel, where supported.
2.3.1 User Journey
...
2.3.2 Wireframes
...
In a Decoupled Redirection flow, the User uses a deeplink within the User-facing TPP app/website on one device to invoke their LFI app/website on another device using the same redirection mechanism as in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1rc2standardsv1dot1final/pages/134841313210797603/Authentication+by+LFI#2.-Redirection
...