Photo by Christiann Koepke on Unsplash
First published on The New Stack.
Open banking has accelerated the transition of traditional financial services to the digital world. Consumers now have significant financial freedom and can access their financial data stored at banks through third-party providers.
Within this context, delivering enhanced digital experiences that are secure, seamless, and “always-on” has become vital. A recent survey by Qualtrics states that 89% of firms that lead with customer experiences perform better than their competitors.
The ownership of consumer data is no longer a decisive factor. However, it is vital that fintech firms provide consumers with a smooth user flow focusing on convenience, usability and security. Recently, OpenID Connect introduced a new technical specification known as Client-Initiated Backchannel Authentication (CIBA) to overcome this challenge. Please refer to the specification here.
Tech teams need to consider an out-of-the-box solution to support CIBA to enhance the end-user experience during authentication and authorization.
To explain and provide examples, we will use WSO2 Open Banking 3.0 as an implementation technology.
Consumption Device (CD)
A device that helps consumers to interact with a third-party provider’s (TPP) open banking services. This can be a browser-based web application offered by a payment or account service provider in the open banking ecosystem.
Authentication Device (AD)
A device that helps consumers interact with a bank’s authorization server (AS) to authenticate and authorize their identities.
OpenID Connect is one of the main specifications that open banking is built upon. Open banking allows a third-party provider’s application to initiate an authorization flow on behalf of consumers. A consumer is redirected to a bank’s authorization server, and then engages in authentication, authorization (consent), and is finally redirected back to the TPP application along with verifiable assertions for the process to proceed.
Fig.1 : A sample Open Banking Flow Diagram
Figure 1 shows a sample open banking flow based on OpenID Connect. It is mandatory for the consumer to interact with the consumption device to authenticate themselves with the bank’s authorization server and provide consent. In addition, this back-and-forth consumer interaction with the TPP and the authorization server is handled via HTTP redirects. However, browser redirects are highly vulnerable to attacks. If consumer interaction with the CD for authentication and authorization is handled via a different device (AD), it eliminates the need for HTTP redirects. This is where CIBA comes in.
As a general practice, a user must use the same device to authenticate and consume a service. However, with CIBA, the authentication process is decoupled. The consumption device that runs the third-party provider application initiates the backchannel request for authentication and authorization while the actual authentication and authorization is performed on a separate authentication device — which can be any smart device, such as a mobile phone, smartwatch and point-of-sale system.
CIBA defines three token request modes for the TPP application following consumer consent authorization.
Please note that WSO2 Open Banking currently only supports poll mode. Since support for ping mode is not mandated by FAPI, it will be considered for support in a future release.
Figure 2 shows a sequence diagram for the CIBA flow using WSO2 Open Banking 3.0. Some CIBA-related new features have been implemented to handle steps 2, 3, 8 and 9, whereas steps 4, 5, 6 and 7 are handled by a new decoupled authenticator, also called a federated authenticator.
Fig.2 : CIBA Sequence Flow Diagram
Let’s discuss a CIBA flow by using an example use case. Assume a consumer wants to make an online retail purchase and opts to pay via their bank. The transaction will follow these steps:
We hope this post helps readers to understand more about CIBA and how this specification helps banks and financial firms to develop customer-centric solutions. To learn more, please visit our solution page.