Step-Up Authentication

The revised Payment Service Directive, more commonly known as PSD2, outlines regulations to improve customer authentication processes that better protect customers from fraud.

PSD2 defines that strong customer authentication (SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics).) via a two-factor authentication solution needs to be in place for when end-users are:

• Accessing their payment account information, as well as
• Initiating transactions

Using the MultiMulti Weavr Multi is an embedded finance solution that allows you to integrate financial services into your own application, providing a seamless experience for your customers. It enables you to offer managed accounts, managed cards, and transactions without requiring financial expertise. APIs you can enrol your customers to different SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). options in line with PSD2 and step-up their authentication to perform certain operations.

How to step-up a token

An active user can step-up their token by completing a second authentication factor. MultiMulti Weavr Multi is an embedded finance solution that allows you to integrate financial services into your own application, providing a seamless experience for your customers. It enables you to offer managed accounts, managed cards, and transactions without requiring financial expertise. supports the following second factors:

• One-time password via SMS
• Embedded biometrics

Step-up a token using an OTP via SMS

A 6 digit one-time password is sent via text message on the end-user's registered mobile number. The one-time password needs to be submitted via the MultiMulti Weavr Multi is an embedded finance solution that allows you to integrate financial services into your own application, providing a seamless experience for your customers. It enables you to offer managed accounts, managed cards, and transactions without requiring financial expertise. APIs to complete the step-up.

The following are the steps required to complete a step-up via an OTP sent via an SMS:

1. Initiate a challenge
2. Confirm the challenge

info

In order to complete challenge, the logged-in user must have enrolled their mobile device for strong customer authentication.

1. Initiate a challenge

You can trigger the step-up process by calling the step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. API. The user receives a text message (SMS) on the mobile number associated with their credentials.

The endpoint allows the end-user to re-sendSend A transaction type that allows sending funds to another identity's instrument or to a beneficiary. Send transactions may require Strong Customer Authentication depending on the destination and whether it's a trusted beneficiary. a new OTP up to one time, if the first step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. attempt was unsuccessful.

To be able to issue another step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations., you need to wait a minimum of 15 seconds from the first attempt.

Triggering the step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. API after 15 seconds from the first attempt invalidates the first challenge, and the user needs to respond to the new challenge.

• Triggering the step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. API within 15 seconds returns a 409 RETRY_IN_15SEC.

• The step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations. can be retried once, after which a 400 INVALID_REQUEST is returned. The user has to logout and login again to issue a new step-up challengeStep-up challenge A two-factor authentication challenge required to step-up a user's authentication token for Strong Customer Authentication (SCA) compliance. Users must complete a second authentication factor (such as OTP via SMS, push notification, or biometrics) to access sensitive information or initiate certain transactions as required by PSD2 regulations..

  If the end-user receives both the first SMS and the second one at the same time (e.g. a delay in telecom delivering the messages), only the more recent OTP works.

For root usersRoot user The individual who creates the identity. For corporate identities, the root user needs to be a legal representative of the corporate such as a director or a representative who has the power of attorney over the company. For consumer identities, the root user is the owner of the identity. Every identity must always have one root user., this is the mobile number provided when onboarding the corporate or consumer identity, while for authorised usersAuthorised Users Individuals that have been invited by the root user to manage an identity's instruments and transactions. They are not the legal owners of the identity but can be granted access to perform operations on behalf of the identity. For corporates, card assignees are created as Authorised Users., this is the mobile number provided when onboarding the user.

POST/stepup/challenges/otp/SMSTry it

2. Verify the challenge

You must build a page in your application where the user can enter the verification code they received in the text message, then submit it via the challenge verify API.

info

The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud; the challenge remains in a Pending state until the last incorrect attempt has been consumed within the 5 minutes. A successful verification also steps up the user's current session, allowing access to the endpoints that require a stepped-up token.

POST/stepup/challenges/otp/SMS/verifyTry it

Step-up a token using Biometrics

The Access Token returned after a successful login via biometrics is already stepped-up and gives you access to the endpoints below.

caution

Once a device has been enrolled for biometrics, it cannot be enrolled again, unless you un-enrol it first.

Actions requiring a stepped-up token

There are three levels of SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). for Payment Account Information which is being enforced depending on the endpoint being used.

Access to account details

The /managed_accounts and /managed_accounts/{id} endpoints only require the end-user to have enrolled and completed a two-factor authentication once.

Access to transaction details

Statement or transaction endpoints require the user to have completed a successful step-up in the last 180 days. If the active token is not stepped up, then only transactions executed in the last 180 days are returned. If transactions older than 180 days are required, the active token must be stepped-up.

Access to sensitive information

All card related operations require a stepped-up token. This includes viewing sensitive card information and updating the password or passcode of the end-user.

See the full list of endpoint and UI components requiring a stepped-up token for each call below.

info

You can control at which point the two-factor authentication is completed on the end-user so long as a stepped-up token is provided when calling the below endpoints.

warning

Two-factor authentication done for the purpose of verifying a transaction does not count towards SCASCA Strong Customer Authentication - a two-factor authentication solution required by PSD2 regulations for when end-users are accessing their payment account sensitive information or initiating transactions. SCA requires at least two of the following: something you know (password), something you have (device), or something you are (biometrics). for the purpose of payment account information.

List of endpoints requiring a stepped-up token

Endpoint	Description
Create Authorised User
POST multi/users	Requires a stepped-up token
Statement
GET managed_accounts/{id}/statement	Requires the user to have completed a successful step-up in the last 180 days
GET managed_cards/{id}/statement	Requires the user to have completed a successful step-up in the last 180 days
Managed AccountsManaged Account An account held at a financial institution that can be created and managed through the Weavr platform. Each account has a balance where customers can hold funds. Optionally, an IBAN can be assigned to enable wire transfers to bank accounts outside of Weavr.
GET, POST /managed_account	First time access requires a stepped-up token
GET, PATCH /managed_accounts/{id}	First time access requires a stepped-up token
Managed CardsManaged Card A payment card (virtual or physical) that can be created and managed through the Weavr platform. Cards can operate in prepaid mode (with their own balance) or debit mode (linked to a managed account). All cards must be assigned to a card assignee who is an Authorised User.
GET, POST /managed_cards	Requires a stepped-up token
GET, POST /managed_cards/{id}	Requires a stepped-up token
POST /managed_cards/assign	Requires a stepped-up token
PATCH /managed_cards/{id}	Requires a stepped-up token
POST /managed_cards/{id}/physical	Requires a stepped-up token
POST /managed_cards/{id}/physical/activate	Requires a stepped-up token
GET /managed_cards/{id}/physical/pin	Requires a stepped-up token
POST /managed_cards/{id}/physical/replace_lost_stolen	Requires a stepped-up token
POST /managed_cards/{id}/physical/replace_damaged	Requires a stepped-up token
Transactions
GET /sends	Requires the user to have completed a successful step-up in the last 180 days
GET /transfers	Requires the user to have completed a successful step-up in the last 180 days
GET /outgoing_wire_transfers	Requires the user to have completed a successful step-up in the last 180 days
GET /outgoing_wire_transfers/{id}	Requires the user to have completed a successful step-up in the last 180 days
GET /transfers/{id}	Requires the user to have completed a successful step-up in the last 180 days
GET /send/{id}	Requires the user to have completed a successful step-up in the last 180 days

List of UI components requiring a stepped-up token

UI Component	Description
Password UI Component	Required when changing the password. Setting your password the first time does not require a stepped-up token.
Passcode UI Component	Required when changing the passcode. Setting your passcode the first time does not require a stepped-up token.

Card UI Components	Description
Card Number Component	Requires a stepped-up token
Capture Card No PIN Component	Requires a stepped-up token
Show Card PIN UI Component	Requires a stepped-up token
CVV UI Component	Requires a stepped-up token