Client-Initiated Backchannel Authentication (CIBA): Pioneering Decoupled Authentication in Open Banking

By Omar Ismail, Digitinary

Introduction

In the rapidly evolving landscape of digital finance, ensuring secure and seamless user authentication is paramount. Traditional authentication methods often rely on direct user interaction with the device initiating the transaction, which can be limiting in scenarios where such interaction isn't feasible. Enter Client-Initiated Backchannel Authentication (CIBA), a specification developed by the OpenID Foundation to address these challenges by enabling decoupled authentication flows.

Understanding CIBA

CIBA is an extension of the OpenID Connect protocol that allows a client (such as a banking application) to initiate an authentication request directly with the OpenID Provider (OP) without requiring the user's immediate interaction on the initiating device. This decoupled approach is particularly useful in situations where the user cannot interact with the client device, such as during a phone call with a customer service representative or when using devices with limited input capabilities.

Key components of the CIBA flow include:

• Consumption Device: The device initiating the authentication request (e.g., a call center agent's terminal).

• Authentication Device: The user's device where they receive the authentication prompt (e.g., a smartphone).

• Backchannel Authentication Endpoint: An endpoint exposed by the OP to receive authentication requests from clients.

• Token Delivery Modes: Mechanisms by which the OP communicates the authentication result to the client, including Poll, Ping, and Push modes.

CIBA in Open Banking

Open Banking initiatives, particularly in regions like Europe under PSD2, have emphasized the need for secure and user-friendly authentication mechanisms. CIBA aligns well with these requirements by facilitating Strong Customer Authentication (SCA) in a decoupled manner.

For instance, when a user initiates a payment through a third-party provider, CIBA allows the authentication to occur on a separate device, ensuring both security and convenience. This approach not only enhances user experience but also complies with regulatory standards demanding robust authentication processes.

Digitinary's Role in Advancing CIBA in the Middle East

At Digitinary , we recognize the transformative potential of CIBA in the realm of Open Banking. Our team is dedicated to developing solutions that leverage CIBA to provide secure, efficient, and user-centric authentication experiences.

Our initiatives include:

• Integration with Digi Authorization Server: Implementing CIBA flows within the Digi Authorization identity management system to support decoupled authentication scenarios.

• Push Notification Strategies: Developing strategies for delivering authentication prompts via Firebase, Apple Push Notification Service (APNs), and Huawei Push Kit, ensuring broad device compatibility.

• Compliance with OpenID Standards: Ensuring our implementations adhere to the OpenID Foundation's specifications, promoting interoperability and security.

By focusing on these areas, Digitinary aims to be at the forefront of Open Banking advancements in the Middle East, providing financial institutions with the tools necessary to meet modern authentication challenges.

Conclusion

CIBA represents a significant step forward in authentication protocols, offering a flexible and secure method for user verification that aligns with the needs of contemporary digital services. As Open Banking continues to evolve, embracing standards like CIBA will be crucial for institutions aiming to provide secure and seamless user experiences.

Digitinary is committed to pioneering these advancements, ensuring that the Middle East remains at the cutting edge of Open Banking innovations.