[Openid-specs-fapi] Issue #295: Possible support for "embedded" SCA mode (openid/fapi)
joseph at authlete.com
Thu Jun 4 13:06:17 UTC 2020
> On 4 Jun 2020, at 13:28, Anders Rundgren <anders.rundgren.net at gmail.com> wrote:
> On 2020-06-04 12:02, Joseph Heenan wrote:
>> The various mechanisms FAPI supports, including CIBA and the embedded proposal under discussion, are all suitable for the initial user onboarding/binding of the user and (by using refresh tokens) for creating persistent sessions from the TPP to the bank for that user,
> Right, this indeed what the Saturn PoC uses although the NextGenPSD2 "authorize" doesn't provide the necessary identity component. Maybe FAPI does?
Identity is covered by OpenID Connect.
>> and that no changes are necessary to the “security” protocols to enable the EMV use case supporting functional APIs you’re describing?
> Almost, this scheme builds on the assumption that a "TPP" (which in most cases would be entirely local to the bank) dealing with EMV transactions, would not be bothered by SCA or consents beyond the initial (one-time) bootstrap.
Correct, this is how you would do this in FAPI. If the bank wants to allow a TPP long lived or permanent access then they would issue long lived refresh tokens and not enforce any later SCA at the bank side.
The solution would still need to be compliant with the law so within the EU someone somewhere would have to be doing SCA to the level required by law, but the law absolutely allows SCA to be done by someone other than the bank.
> Anyway, this is just a proposal, albeit pretty extensively tested. If you or somebody else have any better idea on how get EMV into Open Banking, I and hordes of other people are all ears!
I don’t see why we need new ideas when what we already have in FAPI, and the extensions around embedded being proposed in this thread, already work for the EMV use case.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-fapi