...
LFIs authenticate: The User MUST go through Multi-Factor Authentication (MFA) at their LFI for a User-facing TPP request (i.e. Service Initiation or Data Sharing) to be actioned by the LFI.
Availability of normal authentication methods: The User MUST be able to use the elements they prefer to authenticate with their LFI if supported when interacting directly with their LFI.
Parity of experience: The experience available to a User when authenticating a journey via a User-facing TPP SHOULD involve no more steps, delays or friction in the customer journey than the equivalent experience they have with their LFI when interacting directly.
No unnecessary additional authentication: It is not expected that MFA would be required more than once when facilitating authentication for a single session of data sharing request, or Service Initiation request.No Obstacles: LFIs MUST not create unnecessary delay or friction during authentication including unnecessary or superfluous steps, attributes, or unclear language, e.g. advertising of LFI products or services, language that could discourage the use of User-facing TPP services or additional features that may divert the User from the authentication process.
...
Redirection-based authentication has a range of possible experiences for a User based on whether the User has a an LFI app or not and the device on which the User is consuming the User-facing TPP service.
When using a User-facing TPP for Data Sharing Requests(DSR) and Service Initiation Requests(SIR) User Users MUST be able to authenticate with the LFI using the same authentication methods they are accustomed to using when accessing the LFI directly.
...
Conversely, User-facing TPP may be browser-based only. However, if the User:
...
If a User is using a desktop browser to access the User-facing TPP, then under the redirection model the journey MUST be completed on the LFI browser channel.
Browser-to-Browser Redirection browser redirection is also applicable when:
a) the Useruser-facing TPP is browser-based only
b) the User is using a browser on a mobile device and
...
It is imperative in these circumstances that the LFI browser channel has been optimized for mobile browser browsers and device typetypes.
2.3.1 User Journey
...
2.3.2 Wireframes
...
Again, in these circumstances, it is imperative that the LFI browser channel has been is optimized for mobile browser browsers and device typetypes.
3. Decoupled Redirection
...
In a Decoupled Redirection flow, the User uses a deeplink within the User-facing TPP app/website on one device to invoke their LFI app/website on another device using the same redirection mechanism as in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1draft2/pages/54526002/Authentication+by+LFI#2.-Redirection
The following User experiences are available using Decouple Redirection:
3.1 Selection of LFI on the First Device
An authentication flow in which a dynamic link (e.g. via a QRCode or NFC) is generated by the User-facing TPP on one device (e.g. desktop/laptop or kiosk) and is scanned by User on another device (e.g. User’s mobile device). This dynamic link will invoke the LFI’s mobile banking app which uses the information from the dynamic link to then redirect the User to process the request after authenticating the User.
...
Guidelines | |
---|---|
1 | User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities. |
2 | User-facing TPPs MUST present Users with the authentication options supported by the LFI which in turn can be supported by the User-facing TPP device/channel (e.g. A User-facing TPP kiosk that can only support authentication by LFI mobile app). |
3 | The User-facing TPPs MUST display a code which is scannable or readable ( QRCode/NFC) by another User device. The User-facing TPP MUST present the information on how to use the code with their mobile device (e.g. scan QR code with the mobile phone camera). NOTE: The QRcode MUST be a deep link (as within the Redirection flow) supported by the LFI which MUST invoke the LFI app on scanning. |
4 | User MUST be able to easily scan the code (e.g. scan the code from the Kiosk in this instance) without much friction (like manually entering any URLs). |
5 | After the User scans the code from the User-facing TPP with a device camera, the LFI app MUST be invoked to perform the MFA. |
6 | The LFI app-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the LFI mobile app (biometric, passcode, credentials). |
7 | LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP. |
8 | LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed. |
9 | For this experience it is essential that the User-facing TPPs MUST have a web page where the LFI can redirect the control back to the User-facing TPP on the second device. The User-facing TPP must confirm on this mobile web page the successful completion of the request and informs the User to continue on the other device(Kiosk/desktop) where they had started their journey. |
3.2 Selection of LFI on the Second Device
This journey is a variation of the User-facing TPP flow within the standard redirection journey which could be triggered from a non-interactive interface of the User-facing TPP (e.g. advertising board) which then progresses on the User’s mobile device. The LFI selection and consent request happens on the User's mobile device which then invokes the LFI app/webpage on the same device to complete the authorization using a redirection flow.
...
Malformed Authorization Request: The authorization request may be malformed when submitted by the User-facing TPP. For example, it may include an invalid redirection URL, invalid parameters, an invalid signature on the request object etc. OAuth2 and OIDC define a whole list of potential errors. These are abnormal situations which indicate a significant technical issue at the User-facing TPP's end or even an attacker trying to act as a User-facing TPP. For safety (and as per the Standard) the LFI MUST not redirect the User back to the User-facing TPP in such situations. The LFI MUST display an error message and stop the execution at this point. It is at the LFIs’ discretion to display to the User the message they find most appropriate for this error case, however, an error message MUST be displayed.
In this situation, User-facing TPPs do not receive a response from the LFIs about the malformed authorization request. Therefore, User-facing TPPs are not able to display any message to the User in this situation.
The User relies completely on the LFI to be notified about the occurrence of an error.
User interaction error: An error occurred during user interaction, for example, users click on cancel or are unable to validate their credentials, the debtor account in the authorization request does not belong to the User etc. In this case, the LFI MUST redirect the User back to the User-facing TPP and provide in the response the appropriate OIDC error message.
...
Following the above requirements in the case of these error scenarios will prevent occurrences of bad customer experience experiences due to errors managed insufficiently.