This space is deprecated and no longer supported. Please use the latest available version here.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

 MENU

1. Introduction

Strong Customer Authentication (SCA) is a generic term used to describe multi-factor user authentication supported by proofs-of-authentication, which came to prominence in the open banking due to its inclusion as a Regulatory Technical Standard (RTS) under PSD2. It sets the requirements for authenticating a Payment Services User - the account-holding customer who is making a payment - that must be adhered to in local law. There are two key provisions that were heavily focused on in creating standards for open banking:

  • An authentication code indicating permission to make a payment must be based on at least two authentication factors: “the authentication shall be based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code.” (Article 4.1).

  • The concept of “dynamic linking”, which requires that the the payee and amount are inputs to the creation of authentication codes that indicate proofs that payment has been authorised by the User.

SCA is therefore very strongly allied to multi-factor authentication, and specifically outlines the acceptable factors, namely:

However, SCA has different implementations across the EU, and the dynamic linking requirement is manifested in a number of different ways. Bringing together a best practice based on existing implementations is therefore difficult. However, and despite the variance between EU countries, the spirit of the RTS can be transposed into multiple, relevant protocols for User authentication that provide an implementation of multi-factor authentication and proofs-of-authentication.

The protocols and implementations included in this page can help provide multi-factor authentication and proofs-of-authentication for participants in an open finance ecosystem. This page is provided as guidance for ecosystem participants, to help them make informed choices in extending authentication options as open finance is extended.

2. FIDO2

Links

FIDO2 is a suite of protocols designed to offer strong proofs-of-authentication while eliminating the reliance on password. FIDO2 tends, therefore, to be associated with and supportive of SCA due two features:

  • Private key provisioned on device: FIDO2 protocols specify that a private key is provisioned on and never leaves an appropriate device (Possession).

  • Interaction is generally through the device biometrics (Inherence).

  • Fallback is allowed to a passcode or password (Knowledge).

FIDO2 also supports, through the Web Authentication API, providing a Relying Party provided challenge that can meet dynamic linking requirements. The response to a request for User authentication, known as an Authentication Assertion, can provide an authentication code. The FIDO Alliance has long asserted that FIDO2 standards can meet PSD2 requirements, but the standard have continued to evolve without a widespread

3. Passkeys

3.1 Description

Passkeys are a cross-browser, roaming implementation of FIDO2 credentials, which has been developed by the FIDO Alliance with industry protagonists like Apple and Google.

Passkeys offer the same benefits as the FIDO2 suite of protocols, but adds the ability to synchronise keys between devices and retrieve keys from backup in the case of device loss or failure.

SCA is provided in this context by FIDO2, as Passkey is a FIDO2 implementation. These factors are manifested as follows:

  • Possession: A user has device with a private key they have bootstrapped using an existing biometric linked to the device or their password.

  • Inherence: Biometric authentication through fingerprint or facial recognition.

FIDO Alliance Passkeys Homepage: https://fidoalliance.org/passkeys/

4. OpenID for Verifiable Credentials

4.1 Description

Implementers Draft for Credential Issuance: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-ID1.html

Implementers Draft for Verifiable Presentations: https://openid.net/specs/openid-4-verifiable-presentations-1_0-ID2.html

5. Secure Payment Confirmation (SPC)

5.1 Description

SPC Homepage: https://www.w3.org/TR/secure-payment-confirmation/

6. “xPay” Wallets

6.1 Description

  • No labels

© CBUAE 2024
Open License and Contribution Agreement | Attribution Notice