Authentication

Authentication is the process or action of verifying the identity of a user or process. This is in contrast with identification, which is simply the act of indicating a person or thing's identity. Authentication is the process of verifying that identity. As the driving requirement of PSD2, SCA insists on multi-factor authentication— an authentication method in which computer users are granted access only after successfully presenting two or more pieces of evidence (or factors) proving their identity to an authentication mechanism. As shown in the illustration below (click to enlarge), these factors can be:

  • knowledge – something the user and only the user knows

  • possession – something the user and only the user has

  • inherence – something the user and only the user is.

When your customers make a payment with their chip-and-PIN card at the supermarket, they are already using SCA (something they know plus something they have). The idea of SCA in Open Banking is to provide the same or better level of security (for instance, EVM) when users log into their online banking system or a third-party personal finance management app.

In the context of PSD2, SCA applies to “customer-initiated” online payments within Europe. AIS queries and all PIS transfers require SCA. For merchant-initiated recurring payments (also called standing orders), strong authentication is required to initiate the banker's order, but not for subsequent payments made on the approved date(s) or frequency included in the original instructions.

The following diagram shows the most common models for TPP support of SCA.

The Token.io Platform supports all three SCA models — redirect, decoupled, and embedded. Let's take a brief look at each in turn and the differences encountered.

Redirect Model

Under this approach, the PSU connects with the TPP but is redirected to the web ASPSP interface for authentication. Redirection to a mobile app uses the decoupled model (discussed next).

Under the redirect model (pictured above, click to enlarge), the ASPSP manages SCA interactivity with the user; Token.io's Open Banking APIs are not used for SCA operations.

The advantage in the redirect model resides in the Bank/ASPSP remaining in full control of account holder authentication.

Decoupled Model

Similar to the redirect approach, the decoupled model prompts the PSU to authenticate using the bank's dedicated mobile app on a smartphone or other mobile device, regardless of whether the redirect is launched from a browser or the TPP's mobile app.

The advantage of bank-controlled SCA remains consistent with the redirect model but a better customer experience for mobile user's is achieved with decoupling.

Embedded Model

The embedded model is executed entirely through the UI presented by the TPP. User verification is managed locally using a trusted identity provider (IDP) like the device manufacturer (OEM) — wherein user authentication is performed by embedded apps like Apple Pay, Samsung Pay, and Android Pay, among others; typically using biometric verification; i.e., fingerprint scan, iris scan, or FaceID — or through an IDP service like OKTA, which evaluates user authenticity based on the correct entry of a OTP.