Step-Up Authentication
The revised Payment Service Directive, more commonly known as PSD2, outlines regulations to improve customer authentication processes that better protect customers from fraud.
PSD2 defines that strong customer authentication (SCA) via a two-factor authentication solution needs to be in place for when end-users are:
- Accessing their payment account information, as well as
- Initiating transactions
Using the Multi APIs you can enrol your customers to different SCA options in line with PSD2 and step-up their authentication to perform certain operations.
How to step-up a token
An active user can step-up their token by completing a second authentication factor. Multi supports the following second factors:
Step-up a token using an OTP via SMS
A 6 digit one-time password is sent via text message on the end-user's registered mobile number. The one-time password needs to be submitted via the Multi APIs to complete the step-up.
The following are the steps required to complete a step-up via an OTP sent via an SMS:
In order to complete challenge, the logged-in user must have enrolled their mobile device for strong customer authentication.
1. Initiate a challenge
You can trigger the step-up process by calling the step-up challenge API. The user will receive a text message (SMS) on the mobile number associated with their credentials.
The endpoint allows the end-user to re-send a new OTP up to one time, if the first step-up challenge attempt was unsuccessful.
To be able to issue another step-up challenge, you need to wait a minimum of 15 seconds from the first attempt.
Triggering the step-up challenge API after 15 seconds from the first attempt will invalidate the first challenge and the user will need to respond to the new challenge.
- Triggering the step-up challenge API within 15 seconds will return an
409 RETRY_IN_15SEC. - The step-up challenge can be retried once after which an
400 INVALID_REQUESTwill be returned. The user will have to logout and login again to issue a new step-up challenge.
If the end-user receives both the first SMS and the second one at the same time (e.g. a delay in telecom delivering the messages), only the more recent OTP will work.
For root users, this will be the mobile number provided when onboarding the corporate or consumer identity, while for authorised users, this will be the mobile number provided when onboarding the user.
2. Verify the challenge
You must build a page in your application where the user can enter the verification code that they received in the text message which you will need to submit via the challenge verify API.
The challenge expires after 5 minutes and the number of incorrect OTP attempts is limited to reduce the risk of fraud; the challenge remains in a Pending state until the last incorrect attempt has been consumed within the 5 minutes. A successful verification will also step-up the users current session, allowing access to the endpoints that require a stepped up token.
Step-up a token using Twilio Authy
To step a token using Twilio Authy, you can send a push notification on the user's mobile phone by calling the step-up challenge via authy API.
The user must approve the push notification submitted on their mobile phone. You will receive a webhook notification once the user approves or rejects the push notification.
To use AUTHY as an authentication factor, consumer users, corporate users and authorised users must be enrolled for Authy in order to perform authentication using this method.
More authentication channels will be added in the future.
Once the customer successfully completes the second-factor authentication, then this token will be considered stepped-up. Authentication token expire after 5 minutes of inactivity.
If a wrong verification code is provided, the token remains valid however it is not considered as stepped-up.
Step-up a token using Biometrics
The Access Token that is returned after a successful login via biometrics is already stepped-up and will give you access to the endpoints below.
Once a device has been enrolled for biometrics, it cannot be enrolled again, unless you un-enrol it first.
Actions requiring a stepped-up token
There are three levels of SCA for Payment Account Information which is being enforced depending on the endpoint being used.
Access to account details
The /managed_accounts and /managed_accounts/{id} endpoints only require the end-user to have enrolled and completed a two-factor authentication once.
Access to transaction details
Statement or transaction endpoints require the user to have completed a successful step-up in the last 180 days. If the active token is not stepped up, then only transactions executed in the last 180 days are returned. If transactions older than 180 days are required, the active token must be stepped-up.
Access to sensitive information
All card related operations require a stepped-up token. This includes viewing sensitive card information and updating the password or passcode of the end-user.
Please see the full list of endpoint and UI components requiring a stepped-up token for each call below.
You can control at which point the two-factor authentication is completed on the end-user so long as a stepped-up token is provided when calling the below endpoints.
Two-factor authentication done for the purpose of verifying a transaction does not count towards SCA for the purpose of payment account information.
List of endpoints requiring a stepped-up token
| Endpoint | Description |
|---|---|
| Create Authorised User | |
POST multi/users | Requires a stepped-up token |
| Statement | |
GET managed_accounts/{id}/statement | Requires the user to have completed a successful step-up in the last 180 days |
GET managed_cards/{id}/statement | Requires the user to have completed a successful step-up in the last 180 days |
| Managed Accounts | |
GET, POST /managed_account | First time access requires a stepped-up token |
GET, PATCH /managed_accounts/{id} | First time access requires a stepped-up token |
| Managed Cards | |
GET, POST /managed_cards | Requires a stepped-up token |
GET, POST /managed_cards/{id} | Requires a stepped-up token |
POST /managed_cards/assign | Requires a stepped-up token |
GET, PATCH /managed_cards/{id} | Requires a stepped-up token |
POST /managed_cards/{id}/physical | Requires a stepped-up token |
POST /managed_cards/{id}/physical/activate | Requires a stepped-up token |
GET /managed_cards/{id}/physical/pin | Requires a stepped-up token |
POST /managed_cards/{id}/physical/replace_lost_stolen | Requires a stepped-up token |
POST /managed_cards/{id}/physical/replace_damaged | Requires a stepped-up token |
| Transactions | |
GET /sends | Requires the user to have completed a successful step-up in the last 180 days |
GET /transfers | Requires the user to have completed a successful step-up in the last 180 days |
GET /outgoing_wire_transfers | Requires the user to have completed a successful step-up in the last 180 days |
GET /outgoing_wire_transfers/{id} | Requires the user to have completed a successful step-up in the last 180 days |
GET /transfers/{id} | Requires the user to have completed a successful step-up in the last 180 days |
GET /send/{id} | Requires the user to have completed a successful step-up in the last 180 days |
List of UI components requiring a stepped-up token
| UI Component | Description |
|---|---|
| Password UI Component | Required when changing the password. Setting your password the first time does not require a stepped-up token. |
| Passcode UI Component | Required when changing the passcode. Setting your passcode the first time does not require a stepped-up token. |
| Card UI Components | Description |
|---|---|
| Card Number Component | Requires a stepped-up token |
| Capture Card No PIN Component | Requires a stepped-up token |
| Show Card PIN UI Component | Requires a stepped-up token |
| CVV UI Component | Requires a stepped-up token |