Value added features
In this section are covered additional flows of Salt Edge SCA solution:
- Instant enrollment - where customer instantly connects Service Provider in Salt Edge Authenticator app, if pre-authenticated;
- Instant action - where customer instantly authenticates and is taken directly to action authorization via the Salt Edge Authenticator app.
IMPORTANT: For explanation purposes, in Sequence diagrams are used terms "Identity Service", "Authentication Service", "Core banking", or combination of components is used for simplicity due to unclear Service Provider system specification. In your environment these components are already present, and may differ in naming. The "Identity Service Example" covered in current project acts accordingly, in order to provide a general overview of the instant enrollment and instant action flows from the perspective of Service Provider.
Besides the standard enrollment flow, where customer passes authentication in Salt Edge Authenticator's via Web View, Service Provider has a possibility to generate the Deep Link (QR code) with additional parameter connect_query to identify the customer (API documentation). The Instant Enrollment presumes that customer has already passed the authentication process, resulting in a personalized Deep Link (QR code).
Click on IMAGE to enlarge the Sequence Diagram.
Flow starts with introduction of Strong Customer Authentication by Service Provider. Here, Customer authenticates himself as a first step. Then, Customer has 2 choices, either to scan QR code using Authenticator app, or to access Deep Link if seeing the SCA instructions directly from a smartphone.
In comparison to the standard Connect flow, the Instant Enrollment flow presumes that Customer is already authenticated. Hence, for Customer are provided personalized QR code and Deep Link, which contain the connect_query parameter for user identification by Identity Service. For this reason, with "POST /connections" request, is also provided additional authentication parameter and in return Salt Edge Authenticator app receives access_token after what QR code is scanned or Deep Link is accessed.
The Instant Enrollment flow for enrollment eases the enrollment procedure, not requesting the Customer to pass the familiar authentication flow inside Salt Edge Authenticator app, in case Customer has already passed authentication flow on side of Web/Mobile app.
Salt Edge suggests for the "Authorized QR code/Deep Link" (which contains connect_query) to set the expiration time, being refreshed e.g. every 5 minutes.
Instant action feature represents the innovation in the authentication market, where Customer can instantly authenticate in applications, and/or instantly authorize the performed action (API documentation). In terms of the Second Payment Service Directive and it’s requirements, access to account information or payment initiation have to be accompanied with Strong Customer Authentication. Mainly, there are 2 problems to resolve for the Customer - provide fast authentication and fast action authorization in minimum steps. Salt Edge Authenticator saves the situation and allows Service Provider’s Customers to conveniently benefit from the simplified flow when there is a necessity to pass authentication and authorize the action.
Instant Action presumes the scanning of QR code (embedded Deep Link) with Salt Edge Authenticator, which contains an “action_id”, which is given to each session started by the Customer. Having the “access_token” in Salt Edge Authenticator, together with “action_id” it is provided to the Identity Service to identify the Customer. As a result, Customer is identified by Identity Service, linked with “action_id” and Customer is automatically signed in.
Nevertheless Instant Action offers a convenient way to authenticate, unfortunately it does not eliminate the security risks, where password is involved. One should keep in mind that Instant Action first of all “replays” the password instead of removing it from the authentication process. The authentication method is called “password-free” authentication, in comparison to the “passwordless” authentication, where password does not participate in the authentication process.
The Instant Action flow can be analyzed by the 2 main use-cases described below:
1. Instant application authentication
In this use-case is described the flow of the simple Web application authentication by the means of Salt Edge Authenticator. The flow presumes that Service Provider is regulated by PSD2, so that Web application authentication requires “sign in” action authorization via the Strong Customer Authentication flow (non-regulated providers can skip the sign in action authorization).
Once Customer is on the Web application login page, he is proposed to login either with the standard flow, e.g. login and password, or there is a QR code with instructions to scan it with their SCA application - Salt Edge Authenticator. Customer scans the QR code and is identified by the Service Provider, resulting in an authorization of his action and instant login.
Click on IMAGE to enlarge the Sequence Diagram.
2. Instant payment authorization
In this use-case is described the flow of the initiated in Merchant/TPP application payment authorization by the means of Salt Edge Authenticator. The flow presumes that the Customer is redirected from the application where payment is initiated to the Service Provider page in order to authenticate himself, choose account to pay from, and authorize the action using Strong Customer Authentication.
Once Customer is making a purchase via the Merchant online store, or initiates a transfer transaction from a TPP application (via PSD2 API), Customer is taken from the Merchant/TPP app to the familiar online banking page of the Service Provider, where he has to authenticate himself and confirm the payment with Salt Edge Authenticator. In order not to perform all the mentioned actions, after what Customer is taken to the login page, he is proposed to login either using credentials, e.g. username and password, or by scanning QR code with Salt Edge Authenticator. Once QR is scanned, Customer is identified and authenticated (as described in the previous flow), and Service Provider returns the “authorization_id” to Salt Edge Authenticator for last to instantly display the authorization request. With this flow, Customer performs minimum steps in order to finish the payment procedure.
Click on IMAGE to enlarge the Sequence Diagram.