[Openid-specs-fapi] BG/Embedded SCA - Clinically free from OAuth
Anders Rundgren
anders.rundgren.net at gmail.com
Sun Jul 26 16:59:49 UTC 2020
On 2020-07-26 18:38, Torsten Lodderstedt wrote:
>
>
>> On 26. Jul 2020, at 18:21, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
>>
>> On 2020-07-26 17:52, Torsten Lodderstedt wrote:
>> <snip>
>>>>
>>>> My turn for a question: do you think FAPI/OBIE should follow BG?
>>> Why should we? The whole embedded stuff is contrary to any security best practice.
>>
>> Essentially you are saying that Apple Pay and EMV doesn't work.
>
> No, I’m saying the BG embedded SCA mode contradicts best security practice.
It can be as secure as the targeted payment scheme is.
> I’m not an expert in payments, but here is my take:
>
> Apple Pay works differently as the credit card is tokenized and I assume Apple never sees the user’s credentials with the bank.
Correct. This can be achieved with a suitable Embedded SCA scheme which then can offer a payment experience that is comparable to Apple Pay which is the explicit goal.
That's all.
Regards,
Anders
>
> EMV at the POS is closer to the embedded mode as everything, including the PIN, goes through the terminal. Security is ensured by tight control over the participants - the whole approach is everything but open.
>
> In online use cases, 3DS uses the break out to let the issuer ask the user for her credentials, which is more OAuth alike.
>
> The world is a bit more complicated than black and white.
>
>>
>> Regards,
>> Anders
>>
>>
>>
>
More information about the Openid-specs-fapi
mailing list