Specialists in mobile apps for eID and PSD2 Strong Customer Authentication

Features > Decoupled SCA

Overview of the Decoupled SCA procedure
Via the Decoupled SCA procedure, an eID/SCA request is transmitted by an Identity Consumer (e.g. a Third Party Provider, TPP) to the central server of the Identity Service Provider (e.g. a bank).
The Identity Service Provider then asks the user to authenticate, typically by sending a push notification to the eID app on the user's smartphone. The user reviews the details of the request (e.g. a payment) within the eID app and can either approve or cancel the request.
The Identity Consumer is able to monitor the status of their request. Once the user has provided their approval, the Identity Consumer may be provided with the option to download a copy of the SCA proof from the Identity Service Provider's server.
However, in the case of payments, the TPP transmits an unauthorised payment request to the bank. Once the payment is authorised, the bank will immediatley process the payment. The TPP is able to monitor the status of the payment.
Also in the case of corporate payments, where multi-user approval is often required, the bank will typically coordinate the capture of SCA from multiple users. User entitlements are managed within the bank's platform.
Our approach to Decoupled SCA
In our opinion, a major benefit of Decoupled SCA is that it allows the creation and subsequent approval of an eID request to be separated in both space and time. An eID request can be created and submitted without the approver(s) being present.
For example, it allows an Internet of Things(IoT) enabled device (e.g. a smart fridge) to automatically make a purchase which the account holder(s) can subsequently review and approve within their eID app.
The eID app must be capable of handling multiple eID requests in parallel. Our eID app presents the user with a list of Orders (eID requests) awaiting their approval. They can review and then approve or cancel each one in turn. Or if they choose, they can approve all Orders with a single touch of the biometric sensor.
How we support Decoupled SCA
Decoupled SCA requires the Identity Service Provider to deploy a server to coordinate the eID requests.
To support this requirement, our solution utilises the (highly secure) Electronic Banking Internet Communication Standard (EBICS). Our eID app performs the role of an EBICS Client, which communicates directly with an EBICS Server, deployed by the Identity Service Provider.
A number of software products from mainstream vendors provide out-of-the-box support for EBICS. Quali-Sign has partnered with IBM whose Sterling File Gateway (SFG) product includes support for EBICS. SFG is already in use by many banks.
Our solution makes extensive use of the Electronic Distributed Signatures (EDS) module of EBICS. This provides the capability to place an eID request on hold and then coordinate the capture of SCA by one or more users.
All users and permissions are configured and managed centrally on the EBICS Server. Only those users with the necessary permissions will be asked to approve an Order (eID request).