Redirection Based Authentication
App-to-browser redirection – AIS
It is possible that a PSU using a mobile device does not have their ASPSP mobile app installed, or their ASPSP does not provide an app at all. In these instances, the TPP app will need to launch the native mobile browser in order to present the PSU with their ASPSP’s web channel to authenticate.
It is imperative in these circumstances that the browser channel has been optimised for mobile browser and device type.
Conversely, a TPP may be browser only, but this should not preclude a PSU from having their ASPSP app invoked if the PSU is using a mobile browser and has the ASPSP app installed on their device. In this situation, the TPP browser should invoke the app for authentication and following authentication, the PSU needs to be redirected back to the TPP browser.
If a PSU is using a desktop to access the TPP, then under the redirection model the journey will have to be completed on the ASPSP browser channel. Only with Decoupled authentication can the PSU use their app to authenticate in this situation.
Effective use of redirection screens
Within a typical redirection journey, a customer is presented with two redirection screens:
- Inbound redirection screen (from TPP to ASPSP) – owned by the TPP – from the TPP domain to the ASPSP domain, after the PSU has provided consent to the TPP for the account information or payment initiation service. For the avoidance of doubt, ASPSPs must not present any additional inbound redirection screens.
- Outbound redirection screen (from ASPSP to TPP) – owned by the ASPSP – from the ASPSP domain to the TPP domain, after the ASPSP has authenticated the PSU.
The research has suggested that the redirection screens are a useful part of the process, providing customer trust. The following reasons are noted:
- They help customers navigate their online journey and inform them of what is going to happen next.
- They help create a clear sense of separation between the TPP’s domain and the ASPSP’s domain.
The research has suggested that the messaging on the redirection screens serves to reassure the customer that they are in control and helps engender trust. For example, customers will be more willing to trust the process if they feel there is a partner (TPP or ASPSP) on their side that is known and reputable (use language such as ‘we’, ‘our’). In this sense, the use of words that indicate that the customer is in control and taking the lead are key, as these are indications that the TPP or the ASPSP is working with or for the customer.