Strong Customer Authentication - All Your Questions Answered
3 likes361 views
The document outlines Strong Customer Authentication (SCA), emphasizing the need for at least two of three authentication factors: knowledge, possession, and inherence. It details regulatory technical standards (RTS) for SCA, exemptions, and various approaches to implementing SCA in open banking, including custom and default authenticators. Additionally, it provides guidelines for configuring authenticator components and highlights upcoming webinars related to open banking.
Strong Customer Authentication - All Your Questions Answered
- 1. Strong Customer Authentication Sachithra Dangalla Software Engineer WSO2 Open Banking Team All your questions answered
- 2. Agenda ● What is SCA? ● The RTS for SCA ● Exemptions from SCA ● SCA Approaches ● Configuring default authenticators ● Customizing SCA based components ○ Implementing custom authenticators ○ Customizing Key Manager Extension
- 3. What is Strong Customer Authentication? Authentication Factors Password, PIN, ID number Key, mobile device, token or Smart card Fingerprint, face or voice recognition Knowledge Possession Inherence Authentication = Verifying the identity of a user Strong customer Authentication = Authenticating by using at least 2 out of the 3 elements
- 4. RTS for SCA https://eba.europa.eu/documents/10180/1761863/Final+draft+RTS+on+SCA+ and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf 6 Chapters ~ 32 Articles ● General Provisions ● Security Measures for the Application of Strong Customer Authentication ● Exceptions from Strong Customer Authentication ● Confidentiality and Integrity of the Payment Service Users’ Personalized Security Credentials ● Common and Secure Open Standards of Communication ● Final Provisions
- 5. When SCA is exempted: Exemptions from SCA Transaction amount > 10000 SGD Transaction amount < 10000 SGD Basic Authentication SMS OTP Authentication Basic Authentication Authenticated Authenticated
- 6. SCA Approaches Redirect Approach AISP Bank AISP
- 7. SCA Approaches Decoupled Approach AISP AISP Bank
- 8. SCA Approaches Embedded Approach AISP AISP Bank User credentials Authentication result
- 10. • SCA Approach defines the high level functionality • SCA methods define more granular functionality • Authenticator = SCA methods implementation • https://store.wso2.com/store/assets/isconnector/list Authenticators • Local and federated authenticators Local: Basic / IWA (zero password login) / FIDO (First Identity Online) Federated: SAML2/ OIDC / MePIN / Email OTP / SMS OTP
- 11. Implementation guide: • Local authenticator: https://docs.wso2.com/display/IS570/Writing+a+Custom+Local+Authenti cator • Federated authenticator: https://docs.wso2.com/display/IS570/Writing+a+Custom+Federated+Aut henticator Implementing Custom Authenticators
- 12. ● Custom authenticator: ○ .jar file ~ authenticator logic ○ .war ~ user interfaces ● Copy the .jar file to <wso2_obkm>/repository/components/dropins directory and restart the Key Manager component. ● Copy the .war file to <wso2_obkm>/repository/deployment/server/webapps directory and make sure web application deployed successfully from the Key manager logs. Implementing Custom Authenticators
- 13. • Add a authenticator config element to the application-authentication.xml file in the <wso2_obkm>/repository/conf/identity/ directory and you can define and parameters that could be used in the implementation of authenticator. Configure Custom Authenticators <AuthenticatorConfig name="FacebookAuthenticator" enabled="true"> <Parameter name="AuthTokenEndpoint">https://graph.facebook.com/abcd</Parameter> <Parameter name="AuthnEndpoint">http://www.facebook.com/dialog/oauth</Parameter> </AuthenticatorConfig>
- 17. Open Banking Flows Login and accessing account information via web/mobile application Initiation account info Login page 2 Factor authentication Customer consent Token Get account information Web/Mobile Apps Token 1 2 3 4 5 6 7
- 18. Multi-step and multi-option Configuration per application Multi-Step : Add any number of authentication steps Multi-Option : Add any number of authenticators for a step
- 19. ● Further flexibility can be achieved by customizing the key manager extension ○ Set different combinations of authenticators ○ Set different authenticators for production and sandbox applications ○ Set authenticators dynamically under different circumstances Customizing Key Manager Extension
- 20. ● Create a custom java component and add the below dependencies ○ com.wso2.finance.open.banking.sca.keymanager ○ org.wso2.carbon.apimgt.impl ● Java class should extend “SCABasedKeyManagerClient” ● Override method “setAuthenticators” Customizing Key Manager Extension
- 21. • Build the module and add the component in OB-APIM/repository/components/dropins. • Modify the <KeyManagerClientImpl> element in api-manager.xml of OB-APIM/repository/conf/ directory with FQN of your extended class Customizing Key Manager Extension <APIKeyManager> <KeyManagerClientImpl>com.wso2.sample.SampleKeyManagerClient</KeyManagerClientImpl> </APIKeyManager>
- 22. Upcoming Webinars • Webinar 4: OBIE Directory Integration - A Technical Deep Dive - May 7 • Webinar 5: PISP journey based on Open Banking UK - May 8 • Webinar 6: Verify Your Conformance Against OBIE - May 9 • All webinars will be at 10.00 a.m. GMT.
- 23. Additional Resources More Information http://wso2.com/solutions/financial/open-banking/ Try out WSO2 Open Banking https://openbanking.wso2.com Get in Touch openbankingdemo@wso2.com Solution RoadMap How WSO2 Open Banking Adheres to the Open Banking UK Standard What’s new in WSO2 Open Banking