The Standard supports both redirection and decoupled authentication to allow a PSU to use the same authentication mechanisms, whether using an AISP or PISP, as they do accessing their ASPSP directly.
Other pages in this section Get Started Authentication Methods Account Information Services Payment Initiation Services Card Based Payment Instrument Issuers – CBPIIs Dashboards Customer Experience Checklist Appendices Change Log
Overview The EBA notes that “there would appear to currently be three main ways or methods of carrying out the authentication procedure of the PSU through a dedicated interface, and APIs in particular, namely redirection, embedded approaches and decoupled approaches (or a combination thereof). In the cases of redirection and decoupled approaches, PSU’s authentication data is exchanged directly between PSUs and ASPSPs, as opposed to embedded approaches, in which PSU’s authentication data is exchanged between TPPs and ASPSPs through the interface.” PSD2 requires strong customer authentication to be performed in certain circumstances. The RTS requires that this application of strong customer authorisation is based on the use of elements, which are categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is). These elements require adequate security features, which include ensuring that they are applied independently, so that the breach of any element does not compromise the reliability off the other. ASPSPs implementing redirection should note that the FCA Approach document (Payment Services Regulations 2017 and the Electronic Money Regulations 2011) states it is not aware of any reason for ASPSPs to request strong customer authentication more than once when facilitating authentication for a single session of access to account information or a single payment initiation. The Open Banking 2.0 standards specified redirection authentication flows only and the current ASPSP implementations of redirection are predominantly browser-based, whereby the PSU is redirected from the TPP app or website to the ASPSP’s website in order to authenticate. It is essential that when redirection is implemented it also allows for the PSU to use their ASPSP mobile app to authenticate, if the PSU uses this method of authentication when accessing their ASPSP’s channel directly. Redirection has a specific TPP channel and device dependency and therefore cannot support channel agnostic use cases that involve telephony, POS, and IoT devices, or where physical PSU interaction is either not possible or not required within the TPP channel. These use cases can be supported using a decoupled approach to authentication. In view of the above, the Open Banking 3.0 standards will support both redirection and decoupled authentication to allow a PSU to use the same authentication mechanisms while using an AISP or PISP as they use when accessing the ASPSP directly. The general principles that apply relating to authentication are: 1. ASPSPs authenticate: PSU needs to go through a strong customer authentication (SCA) at their ASPSP in order for a TPP request (i.e. access to information or payment initiation) to be actioned by the ASPSP. 2. PSUs must have their normal authentication methods available: A PSU must be able to use the elements they prefer to authenticate with their ASPSP if supported when interacting directly with their ASPSP. 3. Parity of experience: The experience available to a PSU when authenticating a journey via a TPP should involve no more steps, delay or friction in the customer journey than the equivalent experience they have with their ASPSP when interacting directly. 4. Strong Customer Authentication: It is not expected that SCA would be required more than once when facilitating authentication for a single session of access to account information or a single payment initiation. 5. No Obstacles: ASPSPs must not create unnecessary delay or friction during authentication including unnecessary or superfluous steps, attributes, or unclear language, e.g. advertising of ASPSP products or services, language that could discourage the use of TPP services or additional features that may divert the PSU from the authentication process.
App Based Redirection / AIS PSU authentication with the ASPSP using the ASPSP mobile app installed on the same device on which the PSU is consuming the AISP service. View journey App Based Redirection / PIS PSU authentication, with the ASPSP using the ASPSP mobile app installed on the same device on which the PSU is consuming the PISP service. View journey Browser Based Redirection / AIS PSU Authentication with the ASPSP using browser based redirection from an AISP for an AIS request. View journey Browser Based Redirection / PIS PSU Authentication with the ASPSP using browser based redirection for a PIS request. View journey App-to-browser redirection Journeys that swap the user between devices for authentication is part of the open banking experience. It is the physical manifestation of the security and control engendered by open banking. Clear on-screen communication is essential for adoption and conversion. View journey Browser-to-app redirection Journeys that swap the user between devices for authentication is part of the open banking experience. It is the physical manifestation of the security and control engendered by open banking. Clear on-screen communication is essential for adoption and conversion. View journey Redirection with TPP Generated QR code Desktop browser journeys that require the PSU to authenticate on their ASPSP desktop website have lower consent success rates than app-to-app redirection. As a result, it is becoming increasingly common for TPPs to provide PSUs with a way to authenticate using their ASPSP mobile app. View journey Effective use of redirection screens Journeys that swap the user between devices for authentication is part of the open banking experience. It is the physical manifestation of the security and control engendered by open banking. Clear on-screen communication is essential for adoption and conversion. View journey
App Based Redirection / AIS PSU authentication with the ASPSP using the ASPSP mobile app installed on the same device on which the PSU is consuming the AISP service. View journey
App Based Redirection / PIS PSU authentication, with the ASPSP using the ASPSP mobile app installed on the same device on which the PSU is consuming the PISP service. View journey
Browser Based Redirection / AIS PSU Authentication with the ASPSP using browser based redirection from an AISP for an AIS request. View journey
Browser Based Redirection / PIS PSU Authentication with the ASPSP using browser based redirection for a PIS request. View journey
App-to-browser redirection Journeys that swap the user between devices for authentication is part of the open banking experience. It is the physical manifestation of the security and control engendered by open banking. Clear on-screen communication is essential for adoption and conversion. View journey
Browser-to-app redirection Journeys that swap the user between devices for authentication is part of the open banking experience. It is the physical manifestation of the security and control engendered by open banking. Clear on-screen communication is essential for adoption and conversion. View journey
Redirection with TPP Generated QR code Desktop browser journeys that require the PSU to authenticate on their ASPSP desktop website have lower consent success rates than app-to-app redirection. As a result, it is becoming increasingly common for TPPs to provide PSUs with a way to authenticate using their ASPSP mobile app. View journey
Effective use of redirection screens Journeys that swap the user between devices for authentication is part of the open banking experience. It is the physical manifestation of the security and control engendered by open banking. Clear on-screen communication is essential for adoption and conversion. View journey
Decoupled Model A: Static PSU Identifier An authentication flow in which the PSU provides a static identifier to the TPP (AISP/PISP/CBPII) which is then used by the ASPSP to enable the PSU to authenticate in their ASPSP app on a separate device. View journey Decoupled Model B: ASPSP Generated Identifier An authentication flow in which the PSU provides a dynamic identifier, generated by their ASPSP, to the TPP (AISP/PISP/CBPII) which is then used by the ASPSP to identify the PSU authenticate the ASPSP app. View journey Decoupled Model C: TPP Generated Identifier An authentication flow in which the PSU provides a dynamic identifier, generated by the TPP (AISP/PISP/CBPII), used by the ASPSP to identify the PSU through the ASPSP app. View journey Decoupled Model D: PSU with a TPP Account A decoupled authentication flow in which the TPP (AISP/PISP/CBPII) provides the ASPSP a stored PSU identifier from a previous PSU transaction. This is used by the ASPSP to enable the PSU to authenticate using thier ASPSP app on a separate device. View journey
Decoupled Model A: Static PSU Identifier An authentication flow in which the PSU provides a static identifier to the TPP (AISP/PISP/CBPII) which is then used by the ASPSP to enable the PSU to authenticate in their ASPSP app on a separate device. View journey
Decoupled Model B: ASPSP Generated Identifier An authentication flow in which the PSU provides a dynamic identifier, generated by their ASPSP, to the TPP (AISP/PISP/CBPII) which is then used by the ASPSP to identify the PSU authenticate the ASPSP app. View journey
Decoupled Model C: TPP Generated Identifier An authentication flow in which the PSU provides a dynamic identifier, generated by the TPP (AISP/PISP/CBPII), used by the ASPSP to identify the PSU through the ASPSP app. View journey
Decoupled Model D: PSU with a TPP Account A decoupled authentication flow in which the TPP (AISP/PISP/CBPII) provides the ASPSP a stored PSU identifier from a previous PSU transaction. This is used by the ASPSP to enable the PSU to authenticate using thier ASPSP app on a separate device. View journey
ASPSP applies an available exemption SCA and the application of exemptions are solely within the domain of the ASPSP. When the ASPSP determines an exemption is applicable to a payment order, they may choose not to apply SCA. View journey Using an Available Exemption with a Customer Identifier After the PSU has successfully initiated a payment through a PISP, and saved details for future use, this journey can be used for subsequent transactions. View journey
ASPSP applies an available exemption SCA and the application of exemptions are solely within the domain of the ASPSP. When the ASPSP determines an exemption is applicable to a payment order, they may choose not to apply SCA. View journey
Using an Available Exemption with a Customer Identifier After the PSU has successfully initiated a payment through a PISP, and saved details for future use, this journey can be used for subsequent transactions. View journey