Versions Compared

Version Old Version 1 New Version Current
Changes made by

Chris Michael

Alexandros Dimitrakoudis

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

It is imperative in these circumstances that the LFI browser channel has been optimized for mobile browsers and device types.

The following alternative experience MUST be implemented by LFIs to allow customers to use their mobile banking app to complete Authentication and Authorization:

  1. The LFI MUST support a web-based landing page that opens on redirection with a Call to Action (CTA) to trigger an interaction using the User’s mobile banking app.

  2. The CTA provided on the page must be:

    • For non-mobile devices, a QR Code that can be scanned by the User. Direction must be displayed that indicates to the User that they must scan the QR Code with a device that has the LFI app installed.

    • For mobile devices without the LFI app installed, a CTA that enables the User to download the app from the relevant app store.

  3. The QR Code displayed MUST be scannable directly by any mobile device camera and resolve into a deep link which will invoke the LFI mobile app on that device. The deep link will result in the User being prompted to complete Multi-Factor Authentication and be presented with a screen that allows them to complete consent authorization.

  4. Where the CTA results in the User installing the LFI mobile app, the LFI must inform the User that they may have to reinitiate the request from the TPP, as the delay introduced in installing and setting up the LFI app is likely to expire the authorization window set by the TPP.

  5. The LFI MUST provide the means for the User to abandon handoff to a mobile device and instead choose to complete Authentication and Authorization using the LFI web channel, where supported.

2.3.1 User Journey

...

2.3.2 Wireframes

...

Rules & Guidelines

1

User-facing TPPs MUST initially ask the User to identify the LFI so that the consent request can be constructed in line with the LFIs data group and/or service initiation capabilities.

2

User-facing TPPs SHOULD make the User aware on the inbound redirection screen(User-facing TPP to LFI) that they will be taken to their LFI for authentication for data sharing.

3

The redirection MUST take the User to the LFI web page (desktop/mobile) for authentication purposes only without introducing any additional screens. The web-based authentication MUST have no more than the number of steps that the User would experience when directly accessing the web-based LFI channel (desktop/mobile).

4

After authentication, the User MUST be deep linked within the app to confirm the account(s) to which they would like the User-facing TPP to have access to.

5

LFIs SHOULD have an outbound redirection screen which indicates the status of the request and informs the User that they will be automatically taken back to the User-facing TPP.

6

LFIs SHOULD inform the User on the outbound redirection screen that their session with the LFI was closed.

7

User-facing TPPs SHOULD confirm the successful completion of the Open Banking Service Request (DSR, SIR).

...

In a Decoupled Redirection flow, the User uses a deeplink within the User-facing TPP app/website on one device to invoke their LFI app/website on another device using the same redirection mechanism as in https://openfinanceuae.atlassian.net/wiki/spaces/standardsv1rc2standardsv1dot1final/pages/134841313210797603/Authentication+by+LFI#2.-Redirection

...