[Openid-specs-fapi] Fwd: Letter from Vice-President Valdis Dombrovskis: Comments about Redirection
anders.rundgren.net at gmail.com
Wed Mar 13 07:31:36 UTC 2019
A related discussion found on the quite active https://open-banking-global.slack.com forum:
I believe it really boils down to "who owns the customer", rather than to security.
If the TTP is trustworthy (like Amazon and PayPal) they can surely authenticate customers themselves after once having been granted access.
However, this discriminates smaller players who won't be able to provide streamlined authentication solutions (issuing FIDO tokens doesn't automatically make you a TTP).
The root of the problem lies in the fact that the regulators didn't realize that payments as a freestanding activity and payments as a part of banking currently use entirely different solutions. They also missed that the industry is moving towards "converged" payments. Other parties use dated methods for establishing new payment concepts like the NFC Forum:
It will take many years cleaning up this mess. If it is even possible.
More information about the Openid-specs-fapi