Step-Up Authentication
The revised Payment Service Directive, more commonly known as PSD2, outlines regulations to improve customer authentication processes that better protect customers from fraud.
PSD2 defines that strong customer authentication (SCA) via a two-factor authentication solution needs to be in place for when end-users are:
- Accessing their payment account sensitive information, as well as
- Initiating transactions to pay suppliers
Using the API you can enrol your customers on an SCA solution in line with PSD2 and step-up their authentication to perform certain operations.
Step-up a token
An active end-user can step-up their token by completing a second authentication factor. The Payment Run plug-in supports the following second factors:
- One-time password via SMS
- Embedded biometrics (coming soon)
Step-up a token using a OTP via SMS
A 6 digit one-time password is sent via text message on the end-user's registered mobile number. You will need to capture the OTP from your customer and send it back to Weavr via the plug-in API to complete the step-up.
The following are the steps required to complete a step-up via an OTP sent via an SMS:
- Issue a challenge
- Verify the challenge
In order to complete challenge, the logged-in end-user must have enrolled their mobile device for strong customer authentication
1. Issue a challenge
You can trigger the step-up process by calling the step-up challenge API. The end-user will receive a text message (SMS) on the mobile number associated with their credentials.
For admin users, this will be the mobile number provided when onboarding the Buyer, while for authorised users, this will be the mobile number provided when onboarding the end-user.
1.1 Retry a challenge
If for any reason your end-user did not receive the SMS, they can now request one retry, where Weavr will send a new SMS OTP. The second SMS can be issued in the same session - without having to logout and restart the flow, but can only be requested 15 seconds or more after the first request
Triggering the step-up challenge API after 15 seconds from the first attempt then the first attempt will be invalidated and the end-user will need to respond to the new challenge. Triggering the step-up challenge API before 15 seconds will return a 409 RETRY_IN_15SEC.
An end-user can only request one retry SMS OTP step-up challenge. Upon the second request, a 400 INVALID_REQUEST is returned and the end-user has to logout and login again to issue a new step-up challenge.
If the end-user receives both the first SMS and the second one at the same time (e.g. a delay in telecom delivering the messages), only the more recent OTP will work.
2. Verify the challenge
You must build a page in your application where the end-user can enter the verification code that they received in the text message which you will need to submit via the challenge verify API.
Once the customer successfully completes the second-factor authentication, then their token will be considered stepped-up. The authentication token expires after 5 minutes of inactivity.
If a wrong verification code is provided, the token remains valid however it is not considered as stepped-up.
Two-factor authentication done for the purpose of verifying a transaction does not count towards SCA (challenge) for the purpose of payment account information.