The new Payment Services Directive 2 is compelling European banking actors to open their services to outside partners. Most banking actors were not fully ready for the exposition of the services that were, until then, strongly kept for inside use. Some initiatives such as Open Banking(UK) and STET(FR) have established OAuth2 as the main standard for authentication, authorization and user consent. However all requirements cannot be directly addressed by the current state of the specifications. Despite some additions by the Financial API initiative such as TLS certificate authentication a few issues still elude the standards
Is there a way to handle out-of-band authentication for the user without forcing multiple redirections on his device? What implementation of OAuth2 can bring an answer for business-driven authentication step-up at run time and transaction-based authentication? Is there a way to make the user experience simpler and lighter during authentication and avoid window flickering on mobile devices but keep the right security level?
In this session we will explain PSD2 requirements on customer authentication and what it implies for banks and we will also shine light on some of the answers that were brought when the standards came short.
Key Takeaways:
