Step-Up Authentication

The revised Payment Service Directive, more commonly known as PSD2, outlines regulations to improve customer authentication processes that better protect customers from fraud.

PSD2 defines that strong customer authentication (SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics).) via a two-factor authentication solution needs to be in place for when end-users are:

• Accessing their payment account sensitive information, as well as
• Initiating transactions to pay suppliersSupplier A trusted business or individual that receives payments from Buyers through payment runs. Suppliers can be stored in a trusted supplier list, and when marked as trusted, may allow Buyers to skip Strong Customer Authentication when executing payment runs to those suppliers.

Using the API you can enroll your customers on an SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). solution in line with PSD2 and step-up their authentication to perform certain operations.

Step-up a token

An active end-user can step-up their token by completing a second authentication factor. The Payment RunPayment Run A list of payments created by Buyers to settle their outstanding financial obligations with their suppliers. Payment runs are typically managed by the accounts payable function within a business on a periodic basis and go through stages of creation, authorisation, funding, and execution. plug-in supports the following second factors:

• One-time password via SMS
• Embedded biometrics

Step-up a token using a OTP via SMS

A 6 digit one-time password is sent via text message on the end-user's registered mobile number. You need to capture the OTP from your customer and send it back to Weavr via the plug-in API to complete the step-up.

The following are the steps required to complete a step-up via an OTP sent via an SMS:

1. Issue a challenge
2. Verify the challenge

info

In order to complete challenge, the logged-in end-user must have enrolled their mobile device for strong customer authentication

1. Issue a challenge

You can trigger the step-up process by calling the step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. API. The end-user receives a text message (SMS) on the mobile number associated with their credentials.

info

For admin users, this is the mobile number provided when onboarding the BuyerBuyer A business entity in the Payment Run solution that can be provided with financial services to perform embedded payment runs. Buyers are onboarded through a KYB process and can create payment runs to pay their suppliers. They have roles such as Admin, Controller, and Creator., while for authorized usersAuthorized User An individual that has been invited by the root user to manage an identity's instruments and transactions. They are not the legal owner of the identity but can be granted access to perform operations on behalf of the identity. For corporates, card assignees are created as Authorized Users. US-English variant of _Authorised User_., this is the mobile number provided when onboarding the end-user.

1.1 Retry a challenge

If for any reason your end-user did not receive the SMS, they can request one retry, where we send a new SMS OTP. The second SMS can be issued in the same session—without having to logout and restart the flow—but can only be requested 15 seconds or more after the first request.

Triggering the step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. API after 15 seconds from the first attempt invalidates the first attempt, and the end-user needs to respond to the new challenge. Triggering the step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. API before 15 seconds returns a 409 RETRY_IN_15SEC.

warning

An end-user can only request one retry SMS OTP step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations.. Upon the second request, a 400 INVALID_REQUEST is returned and the end-user has to logout and login again to issue a new step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations..

If the end-user receives both the first SMS and the second one at the same time (e.g. a delay in telecom delivering the messages), only the more recent OTP will work.

POST/stepup/challenges/otp/{channel}Try it

2. Verify the challenge

You must build a page in your application where the end-user can enter the verification code they received in the text message, then submit it via the challenge verify API.

POST/stepup/challenges/otp/{channel}/verifyTry it

caution

Once the customer successfully completes the second-factor authentication, their token is considered stepped-up. The authentication token expires after 5 minutes of inactivity.

If a wrong verification code is provided, the token remains valid however it is not considered stepped-up.

danger

Two-factor authentication done for the purpose of verifying a transaction does not count towards SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). (challenge) for the purpose of payment account information.