OpenID Certification Program Expands with the Release of Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA) Certification

Published September 16, 2019
The OpenID Foundation announced today its expansion of the OpenID Certification program with conformance testing and self-certification of Financial-grade API Client Initiated Backchannel Authentication Profile (FAPI-CIBA) OpenID Providers. The ability to self-certify FAPI-CIBA implementations builds on the availability and success of Financial-grade API (FAPI) certifications whereby a number of vendors including banks have certified their FAPI OpenID Provider implementations, with many more currently testing in preparation for achieving certification. CIBA utilizes the OpenID Mobile Operator Discovery, Registration & authentication (MODRNA) working group OpenID Connect Client Initiated Backchannel Authentication Flow specification, which is designed for specific mobile network operator use cases, and made it generic and applicable for use in financial-grade services. It expands authentication/authorization to new use cases like verifying identities when calling into a bank, or allowing authentication to be completely biometric on a mobile device. or when interacting with a website on a desktop PC. The FAPI-CIBA profile builds on top of the CIBA specification to make it suitable for use in higher risk scenarios. The development of the CIBA specification is a result of the EU’s 2nd Payment Services Directive (PSD2), which mandates that banks allow their customers to access their data and make payments via authorized third parties. While enabling users to control their banking data for other uses is a great advancement for consumers, few technical details on the interaction between the three parties exists, so the industry has identified three high-level interaction flow options:
  • Redirect: easy, standard OAuth
  • Embedded: effectively legalized phishing
  • Decoupled: nice UX but lack of standards
The CIBA specification enables decoupled interaction flows such as for these use cases:
  • Granting authorization to a remote call center agent
  • Using the strongly authenticated session on a smart device to grant authorization to another device
  • Payments
Despite the FAPI-CIBA specification being relatively new, it has already been adopted by OpenBanking UK as well as OpenID Foundation members Authlete, Ping Identity, and Ozone Financial Technology. Authlete was the first to achieve FAPI-CIBA certification and we look forward to many more FAPI-CIBA certifications in the near future. Additional FAPI-CIBA certification information: This launch demonstrates the expertise and experience of the OpenID Certification team, our liaison partners, and a global community of technical contributors. The close collaboration of these groups with the OpenID Connect, MODRNA, and FAPI working groups has enabled the success and expansion of the OpenID Certification program.