Currently the InfoSec documentation specifies that the Hybrid flow MUST be supported but is unopinionated on how authentication is actually to be performed by the data provider.
Previously in Decision Proposal #35 it was determined that, at a high level, a pure Redirect model would not be supported due to the increased risk of phishing attacks by educating customers to enter their full credentials in screens that they are unable to verify beyond visual branding.
This previous decision stated the following (Refer to the original discussion thread for context):
The authentication flow will not be left to the discretion of the data provider
This decision was taken to facilitate a uniform and consistent customer experience across the regime, to ensure a consistent level of security and to minimise the number of variations that need to be accommodate by data consumers.
The Redirect model will not be used in isolation
Due to concerns around increased risk of phishing the Redirect model (option 1 as presented in the initial proposal) will not be supported. It should be noted, however, that in an app to app context option 2 and option 1 are essential the same process.
The flow will facilitate the data provider receiving direct communication from the initiating device
To allow for device identification and behavioural monitoring techniques the flow will facilitate direct communication from the initiating customer device without interception by the data consumer.
These decisions should be assumed to still be applicable to the standard. Any authentication performed by a data provider should be conducted by referring the customer to manually transition to an appropriate existing channel that the customer is already familiar with. Completion of consent should be conducted in the known channel and the customer should then be asked to transition back to the initial redirect screens for completion of the consent flow.
The specific CX guidelines for this flow, if any are prescribed, will be defined by the CX work stream.
If there are queries or if clarification is required please post below.
Currently the InfoSec documentation specifies that the Hybrid flow MUST be supported but is unopinionated on how authentication is actually to be performed by the data provider.
Previously in Decision Proposal #35 it was determined that, at a high level, a pure Redirect model would not be supported due to the increased risk of phishing attacks by educating customers to enter their full credentials in screens that they are unable to verify beyond visual branding.
This previous decision stated the following (Refer to the original discussion thread for context):
These decisions should be assumed to still be applicable to the standard. Any authentication performed by a data provider should be conducted by referring the customer to manually transition to an appropriate existing channel that the customer is already familiar with. Completion of consent should be conducted in the known channel and the customer should then be asked to transition back to the initial redirect screens for completion of the consent flow.
The specific CX guidelines for this flow, if any are prescribed, will be defined by the CX work stream.
If there are queries or if clarification is required please post below.
-JB-