[Openid-specs-fapi] Issue #121: CIBA: Binding Messages (openid/fapi)

Dave Tonge issues-reply at bitbucket.org
Wed Jul 19 14:02:00 UTC 2017

New issue 121: CIBA: Binding Messages

Dave Tonge:

I'd welcome input from the working group on the use of binding messages for payments. 

The relevant wording in the FAPI CIBA draft profile is:

*NOTE: The binding message is required to protect the user by binding the session on the consumption device with the session on the authentication device. An example use case is when a user is paying at POS terminal. The user will enter their user identifier to start the CIBA flow, the terminal will then display a code, the user will receive a notification on their phone (the authentication device) to ask them to authenticate and authorise the transaction, as part of the authorisation process the user will be shown a code and will be asked to check that it is the same as the one shown on the terminal.*


*7.3 Reliance on user to confirm binding messages*

*In a payments scenario it is possible for a fraudster to start a CIBA flow at the same time as a genuine flow, but using the genuine user’s identifier. If the amount and the client are the same then the only way to ensure that a user is authorising the correct transaction is for the user to compare the binding messages. If this risk is deemed unacceptable then implementers should consider alternative mechanisms to verify binding messages.*

Responsible: dgtonge

More information about the Openid-specs-fapi mailing list