This white paper examines the different authentication models that could apply within the interactions of a Third Party Provider and an Account Servicing Payment Service Provider. It proposes the FIDO standards as a solution to simplify the user experience, for any of these models, in a way that meets the Strong Customer Authentication requirements of PSD2.

When PSD2 is deployed in Europe, users will be able to take advantage of services offered by Third Party Providers (TPPs) to trigger payments or to view account information. These users will typically start interacting on the TPP’s user interface. However, at the point when a TPP will request from an Account Servicing Payment Service Provider (ASPSP) access to a user’s account(s), the PSD2 Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) require that the user be strongly authenticated by the ASPSP and demonstrate that he/she has provided consent for the operation that the TPP is requesting to execute.

The Strong Customer Authentication requirement introduces challenges in the customer experience as there are no longer just two parties involved, the user and its bank, but three: The end user journey starts and ends on the TPP’s user interface.

TPPs will interface with the ASPSPs via open APIs. A number of standardization bodies have released drafts of such Open APIs, for example, the Open Banking Implementation Entity (OBIE) in the UK, STET in France and the Berlin Group for various European countries.

These specifications describe how Strong Customer Authentication should be implemented and several models have been defined, if not (yet) fully specified: the redirection, decoupled and embedded models. At the time of this paper’s release, a potential delegated model is also being discussed. These models vary in the way the user interacts with the TPP and the ASPSP and have a deep impact on both the user experience and the security of the user’s financial accounts.

This paper examines the advantages and drawbacks of the different SCA compliant authentication models and outlines how FIDO compliant solutions deliver the best user experience in any of these models, in a way that meets the needs of TPPs and ASPSPs.


More

Technical Note: FIDO Authentication and EMV 3-D Secure – Using FIDO for Payment Authentication

The FIDO Alliance defines standards that enable strong consumer authentication and seeks to use those…

Read More →

White Paper: FIDO Transaction Confirmation

Besides generic session authentication, there is an increasing need to gather explicit user consent for…

Read More →

White Paper: CXO Explanation: Why Use FIDO for Passwordless Employee Logins?

Today, secure access to online applications and services has evolved into a framework reliant on…

Read More →