[Openid-specs-fapi] Issue #147: Anonymous Point of Sale Backchannel Authentication (openid/fapi)

Ralph Bragg ralph.bragg at raidiam.com
Tue Jun 12 17:18:45 UTC 2018


I also meant to say that CIBA supports both flows (for OB), the open banking intent ID can act an ephemeral sub. A customer could choose to do the identity linkage by scanning a QR code on their phone push to the OP from the OP user agent  or by providing an ID to the RP and then push to the OP user agent from the OP.

Both models can be enabled at customers choice and depending on device type by a CIBA flow:

Will share the OB deck and workings from the industry working group last week.

We, at least in Europe, can not stop TPPs from asking PSU’s for Banking Identifiers.


From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Ralph Bragg via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Tuesday, June 12, 2018 5:56:03 PM
To: Financial API Working Group List; openid-specs-fapi at lists.openid.net
Cc: Ralph Bragg; Sarah Squire
Subject: Re: [Openid-specs-fapi] Issue #147: Anonymous Point of Sale Backchannel Authentication (openid/fapi)

Hi Sarah,

This flow was also presented and discussed, nearly exactly as described in your sequence diagram last week at the Open Banking Workshop (deck is available). It’s a common pattern.

The model does not cater for output constrained devices ie a fuel station credit card reader.

OB is considering supporting both models.

Kind regards,


From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net> on behalf of Sarah Squire via Openid-specs-fapi <openid-specs-fapi at lists.openid.net>
Sent: Tuesday, June 12, 2018 5:26:31 PM
To: openid-specs-fapi at lists.openid.net
Cc: Sarah Squire
Subject: [Openid-specs-fapi] Issue #147: Anonymous Point of Sale Backchannel Authentication (openid/fapi)

New issue 147: Anonymous Point of Sale Backchannel Authentication

Sarah Squire:

My team has serious reservations with the fact that CIBA requires users to reveal an identifier to a relying party.

We have a proposal for a new backchannel flow that would allow for one-time-use anonymous pairwise IDs. The use case we had in mind specifically is for point of sale terminals like department stores or gas stations, but it is broadly applicable to many financial and non-financial transactions.

Take a look at our proposal:

Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20180612/66be2f04/attachment-0001.html>

More information about the Openid-specs-fapi mailing list