Identity proofing through PSD2/open banking
A common problem when talking about authentication is how to activate/enroll a user for one or more services. – “You can’t authenticate if you don’t exist”.
This problem is known as “Identity proofing”. Traditionally, in enterprise services, this process is solved through a physical meeting. The user proves their identity through some physical identification and accounts are created base on the information provided.
As services move further away from the users, the way of proving yourself is becoming harder. The general solution for this is letting the user register through some form with validation of e-mail address and/or mobile number. From a security perspective this is not sufficient. Trusting arbitrary data as a foundation for letting users access a service will not work in the long run.
In the Nordics citizens can be issued a digital ID. This id has a high trust score and is considered safe for most services.
Drawback in using this id is technical complexity on the service provider side and cost.
An upcoming interesting alternative could be the EU directive 2015/2366 or PSD 2.
The main purpose of PSD2 is to handle financial transactions through an API driven environment. EU banks are required to facilitate a free API for banking services.
And how would an API meant for financial transactions solve “Identity proofing”?!
Since the API targets the common man, you and me with a bank account, it will require some kind of authentication. A successful authentication will result in some identity data. This data originates from when the account was first set up and since (most) banks tend to be careful about identifying people this identity data can be considered trustworthy. Based on the bank data a service provider now can provision the user to their service and be fairly certain that this person is who he or she claims to be.
I’m signing up for a new service. This service has a PSD2 API connection to a number of banks. One of them happens to be my bank.
During registration to the new service I get a choice of authenticate through my bank.
I enter whatever credentials are required for my bank. This then gets validated at my bank. The response from my bank is my personal data. This data is then used by the service to create my account.
If desired the example can also be used for authentication, obviously.
Then there is the discussion of trust.
Do I trust my bank?
Does the service provider trust my bank?
PhenixID has experience and products dealing with all of these use cases and will closely follow the development in PSD2.