Login & multi factor authentication for PSD2 inquiry APIs
As said here, the APIs exposed by Mediobanca Premier are accessible with an Oauth2.0 access token.
To obtain the access token (in authorization_code grant_type), the customer has to log in to Mediobanca Premier systems. The login requires only a username and a password, so it's a simple 1 factor login.
As the PSD2 directive says, however, some data can be accessed only with a Strong Customer Authentication (which is a 2 factor authentication).
Therefore, we implemented a privilege escalation mechanism which applies to inquiry APIs, which allows the customer to enhance the privileges of the already obtained access token, by providing a second factor of authentication.
Following a schema of the process (example based on the /private/customers/{customerId}/products/{productId}/transactions/retrieve API):
The error that the TPP will receive in case of missing or expired SCA is the following; after receiving it, the TPP must initiate the privilege escalation process to enhance the privileges of the access token:
{
"result": {
"requestId": "....",
"outcome": "ERROR",
"flushMessages": true,
"messages": [
{
"code": "PSD2_SCA_REQUIRED",
"message": "The operation requires SCA: it's been too long since last customer SCA with current TPP and the response includes sensitive data",
"type": "ERROR"
}
]
},
"resources": {
"resourceId": "<RESOURCE_ID>"
}
}
The schema is made taking the /private/customers/{customerId}/products/{productId}/transactions/retrieve as an example, but it is applicable every time the TPP obtains the PSD2_SCA_REQUIRED error from any API.
At the moment, the APIs which can take part in this process are:
- /private/customers/{customerId}/products/{productId}/balance/retrieve
- /private/customers/{customerId}/products/{productId}/transactions/retrieve
- /private/customers/{customerId}/products/{productId}/creditCardsTransactions/retrieve
- /private/customers/{customerId}/products/{productId}/moneyTransfer/history/retrieve
Note that a SCA performed to access a given account information and then used to apply exemptions to access account and transactions information expires after 180 days since the last time the customer performed it. Therefore, for example:
- if the customer performs a SCA to access the balance of an account, the user can access through the AISP TPP the balance of that account for 180 days without performing a new SCA
- if the customer performs a SCA to access the transactions older than 90 days for an account, on the next access to the same information (even within 180 days since the first access) a SCA will be required again