<div dir="ltr"><div dir="ltr"><div dir="ltr"><div class="gmail_default"><font face="trebuchet ms, sans-serif">I agree with Philippe - I think the issue they are worried about is that TPPs and Banks are in competition. Therefore there is a worry that the bank has an incentive to add obstacles to the redirect journey as that gives them a competitive advantage. The legislation prohibits banks from introducing such obstacles - but it is very difficult to enforce this in practice. </font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">From my perspective, it is all an incentives problem. Most of the banks don't want to be identity providers and open up access to third parties. They are being forced to do this and therefore have no incentive to provide a seamless redirect experience. Compare this with Google / Facebook who have an incentive to get as many people as possible to use them as identity providers. </font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">Unfortunately what I believe Mr Dombrovskis misses is the fact that the customer is both a customer of the bank and of the TPP and as the bank is fully responsible for implementing "Strong Customer Authentication" and for detecting fraud then the journey that enables the bank to best protect the end-user must involve a redirect to the bank. </font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">Ultimately I think that competition between the banks will improve redirect-based customer journeys. If as a customer I found it easy to use valuable third party services with my accounts at Bank A, but must harder to use such services with my accounts at Bank B - I have an incentive to move all my accounts to Bank A. Such push factors depend on:</font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"> - third party services being useful / valuable enough</font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"> - banks not operating in an anti-competitive oligopoly</font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"> - customers being able to easily switch banks</font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">I agree with Torsten that an official letter could be useful.</font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif">Dave</font></div><div class="gmail_default"><font face="trebuchet ms, sans-serif"><br></font></div><div class="gmail_default"><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, 9 Mar 2019 at 21:40, Torsten Lodderstedt via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="ltr"></div><div dir="ltr">I‘m not sure we will come to a reasonable conclusion by trying to interpret Mr. <span style="background-color:rgba(255,255,255,0)">Dombrovski‘s statement. What do you think about sending him an official letter and pointing out the contradictions? I mean most identity systems work using redirects, even those very, very focused on user experience.</span></div><div dir="ltr"><br>Am 09.03.2019 um 18:31 schrieb Henrik Biering via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net" target="_blank">openid-specs-fapi@lists.openid.net</a>>:<br><br></div><blockquote type="cite"><div dir="ltr">
<p>Probably Mr Dombrovski has been presented with the Danish "NemID"
a <i>previously</i> bank owned eID where service providers place
a login applet on their own webpage. The 2. factor (which is
partly optional for banks) has been paperbased ch/resp. But most
recently an app redirect option has been available (and popular).
But it is implemented in a way that still makes NemID extremely
susceptible to realtime phishing.<br>
</p>
<p>There is no possibility for ordinary users to distinguish real
RP's from fake - and not even requirements for authorized RP's to
used encrypted connections.</p>
<p>It was originally planned to notify NemID under eIDAS by simply
defining NemID to have the desired security level in the "National
Standard for the Security Level of Identities". But as a result of
a public hearing this "security by mere aspiration" definition was
removed. And there is currently no intention from Danish
authorities to notify NemID under eIDAS. This is planned for a
next generation eID labeled "MitID" that will most likely be
introduced in 2021.</p>
<p>So in short the Danish eID with the new 2. factor app actually
uses redirection, but implemented in a way that still does not
qualify it to be notified as an eID under the eIDAS scheme.</p>
<p>FYI: Here is an article from the leading Danish IT-newssite
Version2 (hoping that it translates reasonably using online
translation services):<br>
<a href="https://www.version2.dk/artikel/digitaliseringsstyrelsen-efter-udvikler-angreb-ja-nemid-saarbar-phishing-1086131" target="_blank">https://www.version2.dk/artikel/digitaliseringsstyrelsen-efter-udvikler-angreb-ja-nemid-saarbar-phishing-1086131</a></p>
<p>Best,<br>
Henrik Biering<br>
</p>
<div class="gmail-m_1092147871139622171moz-cite-prefix">Den 09-03-2019 kl. 15:30 skrev nat via
Openid-specs-fapi:<br>
</div>
<blockquote type="cite">Restarting
the thread as I want to make a youtube video on this one and want
to hear your opinions.
<br>
<br>
So, Mr Dombrovskis says:
<br>
<br>
"I would like to encourage industry players to shift their
attention away from authentication methods that are redirecting
TPP customers to the banks' webpages (or apps). This cannot be the
basis for innovative and competitive European payment services.
Instead, the focus should in my view be on the development of
convenient and secure new authentication methods. Such new forms
of authentication, which are now more and more widely used, can be
linked to e-IDs, issued by public authorities or private entities
as in the Nordic countries, that may be used by customers with
numerous market participants..."
<br>
<br>
What I do not understand is that why he thinks "Such new forms of
authentication" does not involve a redirect.
<br>
As far as I understand, "private entities as in the Nordic
countries" uses either SAML or OpenID Connect and make use of
"redirect" to perform the user authentication that is linked to
e-IDs, and they are provided by banks. If I am right, then the
above statement is saying:
<br>
<br>
"Shift their attention away from authentication methods that are
redirecting TPP customers to the banks' webpages (or apps) to
authentication methods that are redirecting TPP customers to the
banks' webpages (or apps)."
<br>
<br>
It just does not make sense...
<br>
<br>
I could go on with a generic Youtube video showing how redirecting
can be non-intrusing but I wanted to understand the above
statement better.
<br>
<br>
Best,
<br>
<br>
Nat
<br>
<br>
On 2019-02-22 18:25, Dave Tonge via Openid-specs-fapi wrote:
<br>
<blockquote type="cite">Dear FAPI WG
<br>
<br>
I just received this and think it may be of interest to you:
<br>
<br>
Please find attached a letter and attachment from Commission
Vice
<br>
President Dombrovskis.
<br>
<br>
He has made some discouraging comments about redirection to
webpages
<br>
and apps:
<br>
<br>
“I WOULD LIKE TO ENCOURAGE INDUSTRY PLAYERS TO SHIFT THEIR
ATTENTION
<br>
AWAY FROM AUTHENTICATION METHODS THAT ARE REDIRECTING TPP
CUSTOMERS TO
<br>
THE BANKS' WEBPAGES (OR APPS). THIS CANNOT BE THE BASIS
FOR
<br>
INNOVATIVE AND COMPETITIVE EUROPEAN PAYMENT SERVICES. Instead,
the
<br>
focus should in my view be on the development of convenient and
secure
<br>
new authentication methods. Such new forms of authentication,
which
<br>
are now more and more widely used, can be linked to e-IDs,
issued by
<br>
public authorities or private entities as in the Nordic
countries,
<br>
that may be used by customers with numerous market
participants…”
<br>
<br>
…“I also invite industry players to work together to find
<br>
practical solutions to other problems that payment initiation
service
<br>
and/or account information service providers are facing. One of
them
<br>
is the regular renewal, every 90 days, of consent for the TPPs’
<br>
access to accounts. This consent renewal requires STRONG
CUSTOMER
<br>
AUTHENTICATION, WHICH WOULD BE A MAJOR INCONVENIENCE IF DONE FOR
EACH
<br>
BANK USING CONVENTIONAL AUTHENTICATION METHODS AND POSSIBLY
<br>
REDIRECTION TO THE BANKS’ AUTHENTICATION PAGES.”
<br>
<br>
Dave
<br>
_______________________________________________
<br>
Openid-specs-fapi mailing list
<br>
<a class="gmail-m_1092147871139622171moz-txt-link-abbreviated" href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a>
<br>
<a class="gmail-m_1092147871139622171moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a>
<br>
</blockquote>
_______________________________________________
<br>
Openid-specs-fapi mailing list
<br>
<a class="gmail-m_1092147871139622171moz-txt-link-abbreviated" href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a>
<br>
<a class="gmail-m_1092147871139622171moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a>
<br>
</blockquote>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Openid-specs-fapi mailing list</span><br><span><a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a></span><br><span><a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a></span><br></div></blockquote></div>_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"><div style="font-weight:400;color:rgb(51,51,51);line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165)" target="_blank"><img alt="Moneyhub Enterprise" height="50" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" width="200" style="border: none; padding: 0px; border-radius: 2px; margin: 7px;"></a></div><div style="padding:8px 0px"><div style="padding:8px 0px"><div style="letter-spacing:normal;line-height:normal"><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px">Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br style="color:rgb(0,164,183);font-size:11px;line-height:15.925px"></div><div style="letter-spacing:normal;line-height:normal"><span style="font-size:11px;line-height:15.925px"><br></span></div><div style="color:rgb(97,97,97);font-family:"Open Sans";letter-spacing:normal"><div style="line-height:1.4"><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em;background-color:transparent">(FRN </span><span style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:10.5px;font-weight:700">809360</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. M</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:10.5px">oneyhub</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> Financial Technology is registered in England & Wales, company registration number </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> </span><span style="font-weight:bold;color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">06909772</span><span style="background-color:transparent"><font color="#333333" face="lato, open sans, arial, sans-serif"><span style="font-size:0.75em"> .</span></font></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:10.5px">Moneyhub</span><span style="background-color:transparent;font-size:0.75em"> Financial Technology Limited 2018 </span><span style="background-color:transparent;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:x-small">©</span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em"><br></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>