Authentication is the process or action of verifying the identity of a user or process. This is in contrast with identification, which is simply the act of indicating a person or thing's identity. Authentication is the process of verifying that identity. As the driving requirement of PSD2ClosedRevised Payment Services Directive 2 PSD2 provides the legislative and regulatory foundation for Open Banking and other broader initiatives at a UK and European level relating to open access to payment accounts. The European Banking Authority (EBA) recently extended the deadline for PSD2 compliance until December 31, 2020., SCAClosedStrong customer authentication (SCA) is a requirement of the EU Revised Directive on Payment Services (PSD2) on payment service providers within the European Economic Area. The requirement ensures that account access for information and electronic payments is safeguarded by multi-factor authentication. insists on multi-factor authentication— an authentication method in which computer users are granted access only after successfully presenting two or more pieces of evidence (or factors) proving their identity to an authentication mechanism. As shown in the illustration below (hover to enlarge), these factors can be:

  • knowledge – something the user and only the user knows
  • possession – something the user and only the user has
  • inherence – something the user and only the user is.

When your customers make a payment with their chip-and-PIN card at the supermarket, they are already using SCA (something they know plus something they have). The idea of SCA in Open BankingClosedProvides third-party financial service providers open access to consumer banking, transaction, and other financial data from banks and non-bank financial institutions through the use of application programming interfaces (APIs). Open banking will allow the networking of accounts and data across institutions for use by consumers, financial institutions, and third-party service providers. is to provide the same or better level of security (for instance, EVMClosedSecurity standard for storing account information on credit cards. It’s an alternative to the magnetic stripe (mag stripe) that has traditionally been used to store information on the backs of cards in the United States. EMV stands for “Europay, Mastercard, and Visa,” the three companies who began this initiative.) when users log into their online banking system or a third-party personal finance management app.

In the context of PSD2, SCA applies to “customer-initiated” online payments within Europe. AISClosedAccount Information Service – supports TPP secure access to customer accounts and data, but only with the bank-verified consent of the customer. queries and all PISClosedPayment Initiation Service – with the consent of the end-user, initiates a payment from a user-held account upon user authentication. transfers require SCA. For merchant-initiated recurring payments (also called standing orders), strong authentication is required to initiate the banker's order, but not for subsequent payments made on the approved date(s) or frequency included in the original instructions.

The following diagram shows the most common models for TPP support of SCA.

The Token PlatformClosedOperated and maintained by Token to provide turnkey PSD2 and OBIE compliance for easy and secure TPP connectivity with banks offering payment initiation and account information services. supports all three SCA models — redirect, decoupled, and embedded. Let's take a brief look at each in turn and the differences encountered.

Redirect Model

Under this approach, the PSUClosedPayment Services User – an individual person or legal business entity making use of an Open Banking service as a payee, payer or both. connects with the TPPClosedThird-Party Provider – an authorised online service provider introduced as part of Open Banking. TPPs exist outside of the account holder’s relationship with their bank but may be involved in transactions carried out by the user. but is redirected to an the ASPSPClosedAccount Servicing Payment Services Provider – any financial institution that offers a payment account with online access. This includes banks and building societies. PSD2 requires ASPSPs to provide access to trusted third parties for initiating payments and accessing account information. web interface for authentication. Redirection to a mobile app uses the decoupled model (discussed next).

Under the redirect model (pictured above, hover to enlarge), the ASPSP manages SCA interactivity with the user; Token's Open Banking APIs are not used for SCA operations.

The advantage in the redirect model resides in the Bank/ASPSP remaining in full control of account holder authentication.

Decoupled Model

Similar to the redirect approach, the decoupled model prompts the PSU to authenticate using the bank's dedicated mobile app on a smartphone or other mobile device, regardless of whether the redirect is launched from a browser or the TPP's mobile app.

The advantage of bank-controlled SCA remains consistent with the redirect model but a better customer experience for mobile user's is achieved with decoupling.

Embedded Model

The embedded model is executed entirely through the UI presented by the TPP. User verification is managed locally using a trusted identity provider (IDP) like the device manufacturer (OEM) — wherein user authentication is performed by embedded apps like Apple Pay, Samsung Pay, and Android Pay, among others; typically using biometric verification; i.e., fingerprint scan, iris scan, or FaceID — or through an IDP service like OKTA, which evaluates user authenticity based on the correct entry of a OTP.