[Openid-specs-fapi] Strong MERCHANT Authentication
anders.rundgren.net at gmail.com
Sun Apr 19 15:01:20 UTC 2020
On 2020-04-19 14:24, Francis Pouatcha wrote:
> What you are suggesting (having the user sign his payment order) is the way to go. In order to achieve wide adoption we need to have this integrated and coordinated with existing Open Banking standards and help move all in the same direction. The eIDas initiative, the EBA institution registry and EBICS key management experience are components to look at, as banks are being mandated by law to deal with them.
My current problem is that the security model underpinning Open Banking APIs is at odds with streamlined payment solutions like Apple Pay (which also signs payment authorizations locally) as well as with W3C's PaymentRequest API. However, the Open Banking folks seem moderately interested in looking into this, so I'm currently focusing on other bank-initiatives like EMPSA which clearly is after Apple's scalp.
> A new key management scheme will cause more confusion.
> > I must admit that I don't fully understand how this could impact Open Banking. In the depicted scheme User keys are only recognized (and actually readable) by the User Bank.
> > Existing open banking initiatives have not foreseen user private key based SCA. Neither do they include existing standards like EBICS. I guess the banking world is not accustomed to end users digitally signing transactions, as it is still not obvious to trust end users protecting those private keys. Progress is being made in this domain.
> Apple introduced this back in 2014. They also offer a great UI and seamless Web2Wallet integration.
> Open Banking have none of that, there's not even a wallet.
> Let's try to get it adopted by open banking standards.
> Francis Pouatcha
> Co-Founder and Technical Lead at adorys
More information about the Openid-specs-fapi