PSD2 and the Adoption of OIDC for the UK's Open Banking Standard

Back
May 19, 2017
Caren Havelock
Sr. Manager, EMEA Marketing

Co-authored by:
Caren Havelock, Senior Manager, EMEA, Ping Identity
Barry O'Donohoe, Senior Partner, RAiDiAM

Designed to foster competition and innovation in the banking sector, PSD2 requires EU Account Servicing Payment Service Providers (ASPSPs), including banks, building societies and credit unions, to expose open APIs to allow other banks and third parties to access their customer account information, with explicit consent from the customer.

 

How can these "open banking" APIs be secured against fraud and abuse, while still ensuring a positive security user experience? The technology-neutral PSD2 doesn't specify the details of how ASPSPs should secure APIs. So the UK's Competition and Markets Authority (CMA) is taking PSD2 a few steps further with its Open Banking Standard, namely to define the common security and data interface standards for financial APIs.

 

What's the latest announcement from Open Banking, Ltd.?

As discussed in our previous blog, Open Banking Ltd. (formerly the Open Banking Implementation Entity), established by the CMA to define the common technical standards for the UK's Open Banking Standard, has adopted the OAuth 2.0 family of security standards.

 

Open Banking Ltd. has now also formally announced its adoption of OpenID Connect (OIDC) and collaboration with the OpenID Foundation (OIDF), of which Ping Identity and Raidiam are both members, in order to ensure that all participants using open banking APIs are adequately protected. This means that anyone who wishes to enter the UK's open banking ecosystem must be OIDC enabled.

 


What is OpenID Connect and how does it relate to OAuth 2.0?

OAuth 2.0 is a mature, industry open standard that provides customers with a secure mechanism for delegating scoped access to third parties wishing to act on their behalf without the need to share their login credentials. Once a third party is authorized by the customer, it can securely access their data and interact with their bank account through APIs exposed by their bank.

 

OIDC is an identity layer on top of the OAuth 2.0 protocol that significantly improves and secures the exchange of information between parties that can optionally be used to provide identity services. Where OAuth 2.0 provides the application with the access tokens for APIs, OIDC provides the application with identity tokens, a sort of key to the context of their authentication and access to their profile information.

 

These identity tokens allow information to be exchanged bidirectionally between third parties and ASPSPs in a manner that can facilitate PSD2 regulatory needs, but through a series of interactions that ensures that the customer is always kept central to the authentication and authorization process and is well informed of the explicit consent that is being granted to the third party.

 


Fine-grained consent and authorization

Leveraging OIDC also offers banks and third parties a way to address some of their GDPR compliance requirements. The OIDC request object (section 6.1 of the specification) plays a crucial role in brokering the fine-grained consent and authorization of the customer's instruction to the third party. It's a perfect solution to addressing some of the OAuth 2.0 security weaknesses and provides origin authentication and message integrity to the customer's instruction via the third party giving the customer greater confidence when authorizing at their ASPSP.

 

OAuth 2.0--when profiled according to recommendations from industry experts such as the OIDF Financial API Working Group--can create a highly secure and standards-based API security solution for all participants in an open banking ecosystem (ASPSP customers, third parties, and ASPSPs themselves). And when employed as part of a comprehensive identity and access management (IAM) solution, can help deliver an optimal balance of security and user experience.

 


Implementing financial-grade API security

The Ping Identity Platform is comprised of a comprehensive suite of IAM products and capabilities that are standards compliant with the specific OIDC requirements being mandated by Open Banking Ltd. Its advanced integration capabilities provide a solid foundation for a highly secure API framework that delivers a frictionless user experience and distinct competitive advantage. Our product development team have been monitoring the emerging technical standards closely to ensure that our products remain abreast of the latest requirements emerging from this fast-paced and exciting initiative that's driving innovation in both security and financial services.

 

Visit www.pingidentity.com/PSD2 to learn more about PSD2, Open Banking Ltd.'s adoption of OAuth 2.0 and OIDC, and how the Ping Identity Platform is perfectly designed to solve the technical challenges that open banking creates.