[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth

Torsten Lodderstedt torsten at lodderstedt.net
Sun Jul 26 16:38:22 UTC 2020

> On 26. Jul 2020, at 18:21, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
> On 2020-07-26 17:52, Torsten Lodderstedt wrote:
> <snip>
>>> My turn for a question: do you think FAPI/OBIE should follow BG?
>> Why should we? The whole embedded stuff is contrary to any security best practice.
> Essentially you are saying that Apple Pay and EMV doesn't work.

No, I’m saying the BG embedded SCA mode contradicts best security practice. 

I’m not an expert in payments, but here is my take: 

Apple Pay works differently as the credit card is tokenized and I assume Apple never sees the user’s credentials with the bank. 

EMV at the POS is closer to the embedded mode as everything, including the PIN, goes through the terminal. Security is ensured by tight control over the participants - the whole approach is everything but open.  

In online use cases, 3DS uses the break out to let the issuer ask the user for her credentials, which is more OAuth alike.  

The world is a bit more complicated than black and white. 

> Regards,
> Anders

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3946 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20200726/733b1169/attachment-0001.p7s>

More information about the Openid-specs-fapi mailing list