Global interoperability, a common cause among many national and industry groups, seems especially urgent these days, especially in matters of security. Interop requires open standards, a “best idea wins” debate among experts and patience, lots of patience. The Financial-Grade API Working Group has a singular focus on developing its security profile as a complementary component to the functional specifications in open banking “standards.” Patience is paying off as adoption momentum builds as demonstrated by HSBC’s recent certification of conformance to the FAPI Standard.
The OpenID Foundation (OIDF) is pleased to announce the expansion of the FAPI-RW certification program to cover app2app implementations. The App2app pattern for enhances the all-important user experience for OpenID Connect on mobile devices when the user has a native app from the OpenID Provider installed. The importance of the app2app experience for end users is emphasized by a recent opinion from the European Bank Authority, where they make it clear that under the “Payment Services Directive 2” (PSD2), most European banks are required to support the app to app pattern.
The Foundation announced the addition of FAPI certifications to the Certification Program in late 2018 with the first certifications posted in early 2019. Since launch, a wide variety of implementations have been certified. Many, like HSBC, are following the lead of the UK Open Banking Implementation Entity, with more currently testing and in the pipeline:
The app2app certification tests are run in the standard browser on the mobile OS, and need to be repeated for each supported platform (typically Web, Android, and iOS). This means that for many banks, vendors and other organizations looking to fully certify to FAPI-RW, they would run the tests 3 times:
1. Test standard web authentication/authorization experience
2. Test Android app experience
3. Test iOS app experience
The tests have been run against a number of app implementations. The OIDF Certification Program team continues to help organizations during testing discover interoperability and security issues present in their mobile implementations.
To encourage implementers to “test the tests”, app2app certifications will be in pilot mode and free of charge to members until July 31, 2020. This offer is for any implementation that has achieved FAPI-RW certification already as well as those that achieve a standard FAPI-RW certification prior to July 31st.
For those unfamiliar with app2app, please reference this OIDF blog post for more information. And for those interested in taking a deeper dive into app2app, Joseph Heenan from the OpenID Certification Program team will be presenting on app2app at: