Summary:
We have different authentication flows in innovative financial world. To make the customer experience best for our clients with Strong Customer Authentication, it's necessary to introduce the "Instant action".
Where applied?
Web Banking Authentication. (laptop/mobile)
TPP app access to account information and payment initiation (AISP/PISP flows via redirect).
General feature overview (described flows):
Case 1: QR code/Deep link flow (scanning QR from laptop or accessing Deep Link from smartphone with Salt Edge Authenticator):
Step 1: User sees any authentication page with a) credentials field(s) (either to just authenticate or give TPP access to account information or payment initiation via standard redirect flow), and b) a personalized QR code (or Deep Link) to authenticate with instruction to use Salt Edge Authenticator and scan the QR or (tap on Deep Link).
Step 2: User either opens Salt Edge Authenticator to scan QR code (new button on “Authorizations” page) or accesses Deep link directly (from Mobile browser).
Step 3 (optional): After QR code scanning or accessing Deep Link, in case user has more than 1 similar connection in Salt Edge Authenticator app, the app will show a pop-up window to select the specific Service Provider (Connection).
Step 4: The Salt Edge Authenticator app shows “spinner” with title “Authenticating for action”.
Step 5: If SCA is NOT required for specific action = the app shows final status “Successfully authenticated”. If SCA IS required then from loading screen user gets directly to the “Authorization request” screen.
Case 2: App-to-app authentication with deep link redirect flow from TPP app (switch to Salt Edge Authenticator while redirecting to the service provider authentication page, once initiated from TPP app)
Step 1: User has to authenticate to allow TPP access to account information or payment initiation. TPP is either instantly using standard redirect flow, or proposes user to choose authentication method with 3 options: 1) use redirect link, 2) Scan QR code and 3) Deep Link to Salt Edge Authenticator (optional, if detected that user is from mobile browser).
Step 2: User either scans QR code with Salt Edge Authenticator, or taps on “Deep Link”. Salt Edge Authenticator as a result starts processing the instant action right away.
Step 3 (optional): After Deep Link processing, in case user has more than 1 similar connection in Salt Edge Authenticator app, the app will show a pop-up window to select the specific Service Provider (Connection).
Step 4: The Salt Edge Authenticator app shows “spinner” with title “Authenticating for action”.
Step 5: If SCA is NOT required for specific action = the app shows final status “Successfully authenticated”. If SCA IS required then from loading screen user gets directly to the “Authorization request” screen.
Workload (plan):
Realize logic for the "Instant action" by the following specifications:
The Deep Link (QR code): are consisted of the “is_url” and “action_id”
Salt Edge Authenticator app: has a new feature on “Authorizations” page - “Scan QR”.
If SCA is NOT required for specific action = the app shows final status “Successfully authenticated”.
If SCA IS required then from loading screen user gets directly to the “Authorization request” screen. Issues for Salt Edge authenticator:
Identity Service: receives the request to “is_url” with “action_id” and “access_token”, processes the request. As soon as user is identified by the “access_token” Identity Service initiates an action which results in “authorization_request” to cover the SCA flow, if applicable.
Task - Identity Service:
[x] Realize the API endpoint to accept and process the “is_url” and “action_id”;
[x] Request to initiate action for identified user;
[x] Provide either just response to the Salt Edge Authenticator when SCA is NOT required, or provide response and “authorization_id” if SCA IS required;
[x] Create request-response example of 3 proposed options: send QR code, send Deep Link, send redirect_url;
[ ] Describe the behavior in API documentation;
[ ] @alex.lobaciov Describe the process in words on WIKI, and draw a sequence diagram with explanations;
[ ] @alex.lobaciov Since we introduce the “Instant action”, our “Dynamic connect” feature can change name to “Instant enrollment”, having the word “instant” main for 2 new features.
Summary:
We have different authentication flows in innovative financial world. To make the customer experience best for our clients with Strong Customer Authentication, it's necessary to introduce the "Instant action".
Where applied?
General feature overview (described flows):
Case 1: QR code/Deep link flow (scanning QR from laptop or accessing Deep Link from smartphone with Salt Edge Authenticator):
Case 2: App-to-app authentication with deep link redirect flow from TPP app (switch to Salt Edge Authenticator while redirecting to the service provider authentication page, once initiated from TPP app)
Workload (plan):
Realize logic for the "Instant action" by the following specifications:
If SCA is NOT required for specific action = the app shows final status “Successfully authenticated”.
If SCA IS required then from loading screen user gets directly to the “Authorization request” screen. Issues for Salt Edge authenticator:
Task - Identity Service: