This space is deprecated and no longer supported. Please use the latest available version here.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

 MENU

1. Introduction

Strong Customer Authentication (SCA) is a generic term used to describe multi-factor user authentication supported by proofs-of-authentication, which came to prominence in the open banking due to its inclusion as a Regulatory Technical Standard (RTS) under PSD2. It sets the requirements for authenticating a Payment Services User - the account-holding customer who is making a payment - that must be adhered to in local law. There are two key provisions that were heavily focused on in creating standards for open banking:

  • An authentication code indicating permission to make a payment must be based on at least two authentication factors: “the authentication shall be based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code.” (Article 4.1).

  • The concept of “dynamic linking”, which requires that the the payee and amount are inputs to the creation of authentication codes that indicate proofs that payment has been authorised by the User.

SCA is therefore very strongly allied to multi-factor authentication, and specifically outlines the acceptable factors, namely:

  • Inherence: “Something you are” - a biometric credential indelibly linked to you.

  • Knowledge: “Something you know” - a secret known to you and only you.

  • Possession: “Something you have” - A device that can only be accessed and activated by you.

However, SCA has different implementations across the EU, and the dynamic linking requirement is manifested in a number of different ways. The vast majority of implementations involve the mobile banking app belonging to a bank, but there are two inherent limitations in this approach:

  • Proofs-of-authentication: Invoking a biometric on a given device results in an assertion at the mobile operating system level. This assertion is not, however, especially portable and provides proof only to the app invoking the request for biometric authentication.

  • Alternative SCA providers: Broadening the scope of available identity providers is more cumbersome as the bank is the de facto identity provider in the context of an authentication flow.

Bringing together a best practice based on existing implementations across open banking markets is therefore difficult. However, despite the variance between EU countries the spirit of the RTS can be transposed into multiple, relevant protocols for User authentication that provide an implementation of multi-factor authentication and proofs-of-authentication.

The protocols and implementations included in this page can help provide multi-factor authentication and proofs-of-authentication for participants in an open finance ecosystem. This page is provided as guidance for ecosystem participants, to help them make informed choices in extending authentication options as open finance is extended.

2. FIDO2

FIDO2 is a suite of protocols designed to offer strong proofs-of-authentication while eliminating the reliance on passwords. Unlike app-based biometric authentication it provides proofs-of-authentication based on providing an Authentication Assertion, which is an object signed by a private key resident on a given device. The object signature can be verified by using a corresponding public key, which is held by the Webauthn Relying Party following an enrolment ceremony. Authentication Assertions can also complement FAPI, as the Assertion can be carried in Authorisation Code flow using a custom claim or a standard argument like login_hint.

The diagram below provides the key actors and their dependencies:

FIDO2 protocols are very widely supported on all devices that have come into the market recently, and the Web Authentication (Webauthn) API is supported in all major browsers. FIDO2 is often associated with and considered to be supportive of SCA, due to :

  • Private key provisioned on device: FIDO2 protocols specify that a private key is provisioned on and never leaves an appropriate device (Possession).

  • Interaction is generally through the device biometrics (Inherence).

  • Fallback is allowed to a passcode or password (Knowledge).

FIDO2 also supports dynamic linking requirements. One of the inputs to the invoking the Webauthn API is a challenge that can be set by the Webauthn Relying Party and can include relevant arguments such payee details and amount, encoded as a string. The response to a request for User authentication can provide an authentication code. The FIDO Alliance has long asserted that FIDO2 standards can meet PSD2 requirements, but the standard have continued to evolve without, so far, widespread adoption in open banking. An extension of FIDO2, called Secure Payment Confirmation (SPC), is however already included in 3D Secure so their is some adoption in the banking and payments space.

The following are links to the relevant information on FIDO2:

3. Passkeys

Passkeys are a cross-browser, roaming implementation of FIDO2 credentials, which has been developed by the FIDO Alliance in cooperation with industry protagonists like Apple and Google. Implementing Passkeys is not the preserve of these organisations, however, and both hardware and software vendors are implementing support as a Webauthn Provider or Webauthn Relying Party.

As Passkeys is a FIDO2 implementation it offer the same benefits as the FIDO2 suite of protocols, but adds the ability to synchronise keys between devices and retrieve keys from backup in the case of device loss or failure. SCA is provided in this context by FIDO2, as Passkey is a FIDO2 implementation.

The key point on Passkeys over a new FIDO2 implementation built from scratch is one of scale, due to the fact that existing providers are building out their support for the implementation and thus can readily support proofs-of-authentication in the market. Building a trust framework using Passkeys is therefore, from a technical sense, more straightforward.

The following are links to relevant information on Passkeys:

FIDO Alliance Passkeys Homepage: https://fidoalliance.org/passkeys/

4. OpenID for Verifiable Credentials

OpenID for Verifiable Credentials is a new protocol that extends OpenID to allow presentations of credentials on behalf of users. It is one of the standard proposed to enable the EU Digital Wallet.

Credentials can be stored in a wallet, and tied to specific use cases. Credential issuance is built on OAuth 2.0, and can therefore complement the adoption of FAPI. A bootstrap process for credential issuance is required, which can rely on existing authentication and authorisation flows, but once issued the credentials can be presented in the form of signed JSON Web Token (JWT) that can be verified. The important point here is that the JWT can contain presentation metadata, which can meet dynamic linking requirements.

Applying SCA in this context requires more development, however, as the mechanism for credential retrieval from a wallet has yet to be standardised. Reference implementation for the EU Digital Wallet are currently being built.

The following are links to relevant information on OpenID for Verifiable Credentials:

5. Secure Payment Confirmation

Secure Payment Confirmation (SPC) is an extension of Webauthn built for payments use cases. A Webauthn Relying Party can prompt for a Secure Payment Assertion, which incorporates a user journey that explicitly binds payment parameters with the resultant Assertion. As previously mentioned, SPC is already supported in 3D Secure.

As SPC is an extension of Webauthn it naturally supports SCA and was built specifically to incorporate dynamic linking support. It has not, however, been widely supported in Safari and may also be refactored to complement Passkeys more readily. It also only supports payments use cases, so will need to be complemented by native Webauthn assertions for data sharing requests.

The following are links to relevant information on SPC:

  • No labels