OAuth2 – Open Banking Payments Note: the intent of this posting is neither dismissing OAuth2, nor claiming that Open Banking standards are useless; it simply suggests that an addition should (long term) be considered. If you take a peek at the picture below, you’ll note that the Merchant doesn’t really fit the regular OAuth2 scope. From a practical point of view this means that the End-User needs to interact with the Client (PISP) which he/she usually doesn’t know anything about. The EMV standard, currently powering more than 10 billion secure payment cards as well as in Apple Pay, offers a more logical architecture where the payment intermediaries' primary role is being a (for the End-User transparent) commercial and technical proxy between the Merchant and the payment network. Through a standardized End-User solution, EMV offers an unparalleled UX and consistent security. However the reliance on a standardized End-User solution is also a major hurdle. Apple is the to date only party who have managed creating such a solution and gotten global traction for it as well. How come? Well, creating a technical solution may be fairly straightforward, while uniting thousands of banks around a common wallet has so far not happened. Have anybody even tried? It appears that we remain at the mercy of Apple and their likes. Anything else would require leaving our respective comfort zones. #payments #security #architecture #banks #ux #oauth2 #openbanking
Why wouldn't the CIBA (Client Initiated Backchannel Auth) from OpenID Foundation serve this need? https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
Oauth and descendants are good solution for the problem they try to solve. This would be a federated model with clear separation between IDP and SP supporting a broad range of authentication artefacts. The question that should be asked is if the time has not caught up with these concepts. With PKI like solutions like passkey and FIDO derivates it seems more and more like getting a square peg trough a round hole to fit this into these flows.
while OAuth2 or OIDC protocols provide a "trustless" model to redirect & authenticate securely between (especially for open banking TPP services), it does bring in friction for the end user and is not always a very pleasant journey. Even with EMV core standards for card based payments, issuers redirects still remains a point of friction where 2-factor authe tication is needed. Whereas wallets (Apple/Google Pay etc) provide a comparatively seemless experience but may not always be liability protected from merchant perspective. I believe irrespective of the payment method / device type used by the end users, making authentication stronger (multi factor most of the times) and also making the authentication experience invisible for the end user (least to no redirects) is the way to progress that keeps the payments secure, checkout experience fast and payment method agnostic.
With the connectivity and the capability we have in our pocket, why can't we send money direct to merchant rather than a proxy that banks are slow to adopt and implemented
Open Banking, Payments
2yAn OAuth connection for every transaction is not a viable option. Having said that how do you see EMV working for online transactions securely - built in NFC readers into devices? Or, software equivalents of the EMV card?