[Openid-specs-fapi] The FAPI Security Model - Under Fire

Anders Rundgren anders.rundgren.net at gmail.com
Sun Feb 25 07:07:08 UTC 2018

On 2018-02-25 03:44, n-sakimura via Openid-specs-fapi wrote:
> Could you guys please elaborate a little more?

Note: If this list is exclusively intended for discussing pure technical issues with the specification rather than the environment where it is supposed to used, this message has landed in the wrong forum.

As far as I understand the decoupled authentication model is indeed used by US TTPs like "Venmo" and "Zelle".

However, all these systems are proprietary and secret so I'm just guessing here.

Going back to the UK and EU, the idea is that independent payment providers compete with fees, core features, and user interfaces.  This can only be realized if each of them run a network of their own [1] including authentication of customers.

This has major implications beyond security.  In theory this concept will foster innovation and competition. In practice it will probably rather lead to fragmentation [2] and after an expected shakeout [3], reduce the number of national players to one or two which is essentially the opposite to the (good) intention.

The Scandinavian banks separated their Open Banking and Mobile Payment efforts with exceptionally good results (adoption rate) for the latter.


1] "Pass-through" services like PISPs offer limited power and flexibility
2] All "Apps" behave differently making consumers and merchants unhappy
3] The current consolidation among payment providers shows that volume is everything

> Nat Sakimura
> このメールには、本来の宛先の方のみに限定された機密情報が含まれている場合がございます。お心あたりのない場合は、送信者にご連絡のうえ、このメールを削除してくださいますようお願い申し上げます。
> PLEASE READ:This e-mail is confidential and intended for the named recipient only. If you are not an intended recipient, please notify the sender and delete this e-mail.
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> *From:* Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Tom Jones via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
> *Sent:* Sunday, February 25, 2018 4:24:06 AM
> *To:* Financial API Working Group List
> *Cc:* Tom Jones
> *Subject:* Re: [Openid-specs-fapi] The FAPI Security Model - Under Fire
> yeah, that fits the UK business model.
> It wont fly in the US however.
> Peace ..tom
> On Thu, Feb 22, 2018 at 11:53 PM, Anders Rundgren via Openid-specs-fapi <openid-specs-fapi at lists.openid.net <mailto:openid-specs-fapi at lists.openid.net>> wrote:
>     Hi FAPIers,
>     As a curious person I have always wondered how Open Banking/PISP/SCA would combine with Amazon's famous one-click checkout.
>     Various LinkedIn and Slack conversations have revealed the (ugly?) truth.
>     The intention (at least in the UK), is giving OAuth tokens "eternal life" and rather letting PISPs (Amazon is expected to be a one), deal with payer authorization.  This faithfully emulates the "card-on-file" system that powers most US based super providers.
>     Cheers,
>     Anders
>     _______________________________________________
>     Openid-specs-fapi mailing list
>     Openid-specs-fapi at lists.openid.net <mailto:Openid-specs-fapi at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-fapi <http://lists.openid.net/mailman/listinfo/openid-specs-fapi>
> _______________________________________________
> Openid-specs-fapi mailing list
> Openid-specs-fapi at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-fapi

More information about the Openid-specs-fapi mailing list