Login & multi factor authentication for PSD2 inquiry APIs

As said here, the APIs exposed by Mediobanca Premier are accessible with an Oauth2.0 access token.

To obtain the access token (in authorization_code grant_type), the customer has to log in to Mediobanca Premier systems. The login requires only a username and a password, so it's a simple 1 factor login.

As the PSD2 directive says, however, some data can be accessed only with a Strong Customer Authentication (which is a 2 factor authentication).

Therefore, we implemented a privilege escalation mechanism which applies to inquiry APIs, which allows the customer to enhance the privileges of the already obtained access token, by providing a second factor of authentication.

Following a schema of the process (example based on the /private/customers/{customerId}/products/{productId}/transactions/retrieve API):

Request recent transactions

Request old transactions

The error that the TPP will receive in case of missing or expired SCA is the following; after receiving it, the TPP must initiate the privilege escalation process to enhance the privileges of the access token:

  "result": {
    "requestId": "....",
    "outcome": "ERROR",
    "flushMessages": true,
    "messages": [
        "code": "PSD2_SCA_REQUIRED",
        "message": "The operation requires SCA: it's been too long since last customer SCA with current TPP and the response includes sensitive data",
        "type": "ERROR"
  "resources": {
    "resourceId": "<RESOURCE_ID>"

The schema is made taking the /private/customers/{customerId}/products/{productId}/transactions/retrieve as an example, but it is applicable every time the TPP obtains the PSD2_SCA_REQUIRED error from any API.

At the moment, the APIs which can take part in this process are:

  • /private/customers/{customerId}/products/{productId}/balance/retrieve
  • /private/customers/{customerId}/products/{productId}/transactions/retrieve
  • /private/customers/{customerId}/products/{productId}/creditCardsTransactions/retrieve
  • /private/customers/{customerId}/products/{productId}/moneyTransfer/history/retrieve

Note that a SCA performed to access a given account information and then used to apply exemptions to access account and transactions information expires after 180 days since the last time the customer performed it. Therefore, for example:

  • if the customer performs a SCA to access the balance of an account, the user can access through the AISP TPP the balance of that account for 180 days without performing a new SCA
  • if the customer performs a SCA to access the transactions older than 90 days for an account, on the next access to the same information (even within 180 days since the first access) a SCA will be required again