Following the revised Payment Service Directive (PSD2), banks in the EEA are required to enable their customers (users) to grant third party providers (TPPs) access to

  • Customer account information
  • Initiate payments on behalf of the customers.

Such access must be based on Strong Customer Authentication (SCA).

In parallel, many banks have shown some interest in electronic identification and (qualified) trust services as per the eIDAS Regulation (EU) 910/2014.

This article briefly describes a solution for an Identity Provider (IdP) that can be used to manage such access to privileged user resources and leverage existing authentication methods provided by one or several authentication / eID schemes. Typically, such an IdP solution is managed by the bank.

The general goal is to enable end-users to grant TPPs access to privileged information / transactions provisioned by a resource owner. The user is required to provide explicit consent and be duly authenticated by an eID scheme before such information can be passed on to an entrusted TPP.

High level Overview

To make this possible and allow for seamless communication with multiple eID Schemes and TPPs, we introduce an Identity Provider (IdP). An IdP is a server that handles registration, authentication, authorization and token requests.

PSD2 eIDAS relationship

In this ecosystem, the IdP server receives an authorization request from a TPP that needs access to services from the Resource Owner. The service displays the resources to the end user, which (s)he can choose to give the TPP access to. Following the user’s selections, the eID Scheme signing dialog is used by the user to provide non-repudiate consent for the TPP to access the user’s resources at the Resource Owner.

The eID Scheme may be based on existing authentication and signing services but it may also be a notified eID scheme in the sense of eIDAS.

Application in a PSD2 context (Embracing Open Banking PSD2)

This architecture applies particularly well in the banking industry. In a PSD2 scheme, the bank is the Resource Owner. This will allow third parties described as Payment Initiation Service Providers (PISPs) to directly access customer accounts by connecting directly through a standard API. PSD2 further opens the path to what is known as Open Banking APIs.

Role of the Idp

The purpose of the IdP is to authenticate and authorize the TPP to act on behalf of the end user towards the Resource Owner such as a bank.

The server receives an authorization request from an organization (TTP) that needs access to services provided by the Resource Owner. The service displays to the end user the resources, which (s)he can choose to give the organization access to. Following the user’s selection, the eID scheme dialog allows the user to provide non-repudiable consent for the organization to access the user’s resources at the bank.

This involves two steps.

  1. Firstly, the end user must agree to grant the particular TPP access to the services and information in question. Based on such consent the IdP may authorize the TPP with these permissions.
  2. Secondly, in order to actually access the services, the TPP must be authenticated to the bank to ensure that only authorized TPPs get access.

An additional important feature is to provide evidence to demonstrate that both of these steps have been executed properly. To this extent, a signed PDF document is produced to record the fact that the user gave the TPP access to a specific set of resources.

Furthermore, the solution allows the end-user to sign a transaction (or document) through the IdP, in compliance with eIDAS.

Conclusion

The IdP method described above is designed to help banks provide value added services in compliance with PSD2 By leveraging existing eID schemes and their eIDAS trust services, it is possible to deliver a compelling user experience in a highly cost effective manner. To anchor the bank´s position as a strategic trust partner in financial transactions, particular attention was paid to security, non-repudiation as well as scalability and interoperability.

The described solution can be a strong enabler to allow banks to lead the PSD2 revolution.

For more information on the technology described above, please feel free to contact us.

 

Download white paper

References and Further Reading

  • COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
  • Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

Image: Bridge, courtesy of Victor Camilo, Flickr (CC BY-ND 2.0)

 

Other Related Articles: # Digital Signatures # eIDAS # PSD2

Want to know how we can help ?

Get in touch to better understand how our solutions secure ecommerce and billions of transactions worldwide.