Responding to SCA challenges (Android SDK)
Once a device is enrolled and the user is logged in, your app responds to SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). challenges. A challenge is Weavr asking the user to approve a sensitive action with a second factor. On mobile, the user approves with their biometrics, and the SDK handles the cryptography and UI for you.
For the concept behind this - what Strong Customer Authentication is, when challenges are raised, and how they are delivered and answered - see SCA challenges. This page covers the SDK side: receiving a challenge and clearing it.
What the SDK does for you
The SDK automatically handles the challenge end to end:
- Reception - challenges arrive as push notifications. Your app forwards the notification payload to the SDK, which starts the challenge flow.
- Verification - the SDK presents the user with the challenge and captures their biometrics. After 3 failed biometric attempts, it falls back to the password or passcode automatically.
- UI - the SDK renders the approval screen, branded to match your program.
Challenge types
The SDK tells you which kind of action a challenge refers to, so your app can react appropriately. The challenge type is one of:
| Type | Action being approved |
|---|---|
PAYMENT_INITIATION | Confirming an outgoing wire transfer or SendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary.. |
ACCOUNT_INFORMATION | Stepping up a session to view account information. |
THREEDS_INITIATION | Confirming an online card purchase via 3DS. |
BENEFICIARY_MANAGEMENT | Confirming the creation of a trusted payee. |
What triggers a challenge
A challenge is triggered from one of two places:
- Inside your app - the user confirms a transfer or SendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary., or adds a trusted payeeTrusted Payee A trusted recipient for payments, including the business or individual's details and their bank account or instrument details. Sending to a Trusted Payee may let customers skip Strong Customer Authentication (SCA) on Outgoing Wire Transfer or Send transactions, reducing the number of approval steps required. Previously referred to as a Beneficiary.. Your backend raises the challenge with the Confirmation Challenges endpoint (for transactions) or the Trusted payees endpoint (for payees).
- Outside your app - the user makes a card purchase at an online checkout that requires 3DS3DS 3-D Secure - an additional security layer for online credit and debit card transactions. It adds an authentication step where the cardholder verifies their identity with the card issuer during the purchase, reducing fraud and providing liability protection for merchants.. Weavr raises the challenge and pushes it to the device; the user taps the notification to return to your app and approve.
The two flows that follow show each origin in detail.
Register the broadcast receiver
The WeavrFCMService you set up in Concepts and setup broadcasts incoming challenges. Register a broadcast receiver that forwards them to the SDK with handleIntent:
private val foregroundMsgReceiver = object : BroadcastReceiver() {
override fun onReceive(context: Context?, intent: Intent?) {
if (intent != null) {
UXComponents.psa.handleIntent(
intent,
activity = context as Activity,
PreferenceRepo(context).getAppPNS().toString(),
weavrPsaSessionListener = object : WeavrPsaSessionListener {
override fun onFailed(error: ErrorResponse) {
// Handle challenge failure
}
override fun onSuccess(message: String, challengeType: PSAChallengeType, challengeId: String) {
// Handle successful challenge
}
}
)
}
}
}
// Register the receiver
val filter = IntentFilter()
filter.addAction(WeavrFCMService.WEAVR_INTENT_ACTION)
registerReceiver(foregroundMsgReceiver, filter)
The onSuccess callback returns a PSAChallengeType so you can identify the challenge type and react accordingly.
Flow: app-triggered challenge
When the user confirms a transfer or SendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary., or adds a trusted payeeTrusted Payee A trusted recipient for payments, including the business or individual's details and their bank account or instrument details. Sending to a Trusted Payee may let customers skip Strong Customer Authentication (SCA) on Outgoing Wire Transfer or Send transactions, reducing the number of approval steps required. Previously referred to as a Beneficiary., the challenge is triggered from within your app:
Flow: externally-triggered 3DS challenge
For an online card purchase that requires 3DS3DS 3-D Secure - an additional security layer for online credit and debit card transactions. It adds an authentication step where the cardholder verifies their identity with the card issuer during the purchase, reducing fraud and providing liability protection for merchants., the challenge is triggered by an action outside your app - a purchase by the user at an online checkout:
After 3 failed biometric attempts, the SDK falls back to the password or passcode automatically. See Automatic fallback.