/
3.0 Authentication Methods

3.0 Authentication Methods


Contents


3.1 Overview

The API Standards will support both redirection and decoupled authentication to allow a Customer to use the same authentication mechanisms while using a Third Party as they use when accessing the API Provider directly.

The general principles that apply relating to authentication are:

  1. API Providers authenticate a Customer: This needs to go through a Strong Customer Authentication (SCA) at the Customer’s API Provider for a Third Party request (i.e., access to information or payment initiation) and must be actioned by the API Provider.

  2. Customers should have their normal authentication methods available: A Customer should be able to use the elements they prefer to authenticate with their API Provider if supported when interacting directly with their API Provider.

  3. Parity of experience: The Customer experience when authenticating within a journey with a Third Party should involve no more delay or friction than the equivalent experience with their API Provider.

  4. Once per session SCA: SCA should not be required more than once for a single session of access to account information or a single payment initiation.

  5. No Obstacles: API Providers should not create unnecessary delay or friction during authentication including unnecessary or superfluous steps, attributes, or unclear language, e.g., advertising of API Providers products or services, language that could discourage the use of Third Party services or additional features that may divert the Customer from the authentication process (with the potential exception of services provided to vulnerable Customers).

3.2 Redirection based authentication

3.2.1 Browser based redirection - Account Information Services (AIS)

Customer authentication with the API Provider using browser based redirection from a Third Party for an Account Information Services request.

This enables a Customer to authenticate with their API Provider while using a Third Party for Account Information Services, using the same web based authentication method which the Customer uses when accessing the API Provider web channel directly.

This model works when the Customer is consuming the Third Party service on a device that does not have the API Provider app, or the Customer does not have the API Provider mobile app.

3.2.2 Browser based redirection - Payment Initiation Services (PIS)

Customer authentication with the API Provider using browser based redirection for a Payment Initiation Service request.

This enables a Customer to authenticate with their API Provider while via a Third Party for the Payment Initiation Service, using the same web based authentication method which they use when accessing the API Provider web channel directly.

This model works when the Customer is consuming the Third Party service on a device that does not have the API Provider app, or the Customer does not have the API Provider mobile app and is appliable to both one time only payments initiation customer journeys as well as when establishing an Enduring Payment Consent.

Variations

There are variations to this process. We have not shown the full journey breakdown for these variations but have listed them below (to be expanded upon as variations in use are identified through implementation):

  1. The select account step (now as part of the first step – entering account details) could happen after the authentication step and will take place in the API Provider’s environment instead of the Third Party environment.

3.2.3 App based redirection - Account Information Services

Customer authentication with the API Provider using the API Provider mobile app installed on the same device on which the Customer is consuming the Third Party service.

Enables the Customer to authenticate with the API Provider while using a Third Party for Account Information Services using the same API Provider app based authentication method which they use when accessing the API Provider mobile channel directly.

Third Party service could be web based or app based. The redirection should directly invoke the API Provider app to enable the Customer to authenticate and should not require the Customer to provide any Customer identifier or other credentials to the Third Party. Redirections can only be done on the same device.