Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Strong Customer Authentication - All Your Questions Answered


Published on

This deck will cover what is SCA, the regulatory requirements, the exemptions, SCA approaches, configuring default authenticators and customizing SCA based components.

Watch the Webinar On-Demand here -

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Strong Customer Authentication - All Your Questions Answered

  1. 1. Strong Customer Authentication Sachithra Dangalla Software Engineer WSO2 Open Banking Team All your questions answered
  2. 2. Agenda ● What is SCA? ● The RTS for SCA ● Exemptions from SCA ● SCA Approaches ● Configuring default authenticators ● Customizing SCA based components ○ Implementing custom authenticators ○ Customizing Key Manager Extension
  3. 3. What is Strong Customer Authentication? Authentication Factors Password, PIN, ID number Key, mobile device, token or Smart card Fingerprint, face or voice recognition Knowledge Possession Inherence Authentication = Verifying the identity of a user Strong customer Authentication = Authenticating by using at least 2 out of the 3 elements
  4. 4. RTS for SCA and+CSC+under+PSD2+%28EBA-RTS-2017-02%29.pdf 6 Chapters ~ 32 Articles ● General Provisions ● Security Measures for the Application of Strong Customer Authentication ● Exceptions from Strong Customer Authentication ● Confidentiality and Integrity of the Payment Service Users’ Personalized Security Credentials ● Common and Secure Open Standards of Communication ● Final Provisions
  5. 5. When SCA is exempted: Exemptions from SCA Transaction amount > 10000 SGD Transaction amount < 10000 SGD Basic Authentication SMS OTP Authentication Basic Authentication Authenticated Authenticated
  6. 6. SCA Approaches Redirect Approach AISP Bank AISP
  7. 7. SCA Approaches Decoupled Approach AISP AISP Bank
  8. 8. SCA Approaches Embedded Approach AISP AISP Bank User credentials Authentication result
  9. 9. WSO2 Open Banking
  10. 10. • SCA Approach defines the high level functionality • SCA methods define more granular functionality • Authenticator = SCA methods implementation • Authenticators • Local and federated authenticators Local: Basic / IWA (zero password login) / FIDO (First Identity Online) Federated: SAML2/ OIDC / MePIN / Email OTP / SMS OTP
  11. 11. Implementation guide: • Local authenticator: cator • Federated authenticator: henticator Implementing Custom Authenticators
  12. 12. ● Custom authenticator: ○ .jar file ~ authenticator logic ○ .war ~ user interfaces ● Copy the .jar file to <wso2_obkm>/repository/components/dropins directory and restart the Key Manager component. ● Copy the .war file to <wso2_obkm>/repository/deployment/server/webapps directory and make sure web application deployed successfully from the Key manager logs. Implementing Custom Authenticators
  13. 13. • Add a authenticator config element to the application-authentication.xml file in the <wso2_obkm>/repository/conf/identity/ directory and you can define and parameters that could be used in the implementation of authenticator. Configure Custom Authenticators <AuthenticatorConfig name="FacebookAuthenticator" enabled="true"> <Parameter name="AuthTokenEndpoint"></Parameter> <Parameter name="AuthnEndpoint"></Parameter> </AuthenticatorConfig>
  14. 14. Configuring Default Authenticators
  15. 15. Configuring Default Authenticators
  16. 16. Demo
  17. 17. Open Banking Flows Login and accessing account information via web/mobile application Initiation account info Login page 2 Factor authentication Customer consent Token Get account information Web/Mobile Apps Token 1 2 3 4 5 6 7
  18. 18. Multi-step and multi-option Configuration per application Multi-Step : Add any number of authentication steps Multi-Option : Add any number of authenticators for a step
  19. 19. ● Further flexibility can be achieved by customizing the key manager extension ○ Set different combinations of authenticators ○ Set different authenticators for production and sandbox applications ○ Set authenticators dynamically under different circumstances Customizing Key Manager Extension
  20. 20. ● Create a custom java component and add the below dependencies ○ ○ org.wso2.carbon.apimgt.impl ● Java class should extend “SCABasedKeyManagerClient” ● Override method “setAuthenticators” Customizing Key Manager Extension
  21. 21. • Build the module and add the component in OB-APIM/repository/components/dropins. • Modify the <KeyManagerClientImpl> element in api-manager.xml of OB-APIM/repository/conf/ directory with FQN of your extended class Customizing Key Manager Extension <APIKeyManager> <KeyManagerClientImpl>com.wso2.sample.SampleKeyManagerClient</KeyManagerClientImpl> </APIKeyManager>
  22. 22. Upcoming Webinars • Webinar 4: OBIE Directory Integration - A Technical Deep Dive - May 7 • Webinar 5: PISP journey based on Open Banking UK - May 8 • Webinar 6: Verify Your Conformance Against OBIE - May 9 • All webinars will be at 10.00 a.m. GMT.
  23. 23. Additional Resources More Information Try out WSO2 Open Banking Get in Touch Solution RoadMap How WSO2 Open Banking Adheres to the Open Banking UK Standard What’s new in WSO2 Open Banking
  24. 24. THANK YOU