Mobile Authenticator

Concept definition

The IDEMIA Mobile Authenticator service enables banks to perform in-band and out-of-band strong consumer authentication in the context of sensitive banking or payment use cases.

The IDEMIA Mobile Authenticator service allows a bank to verify its customers' identities by using their smartphones as a means of authentication. This service employs multiple validation methods, including the customer's possession of the smartphone (something they have), as well as additional authentication factors like a PIN (something they know) and/or biometrics (something they are).

IDEMIA provides easy-to-integrate APIs and a mobile SDK for Android/iOS, to strongly authenticate consumers for sensitive operations validation.

Use Cases

The IDEMIA Mobile Authenticator service covers the following use cases:

The strong authentication of a consumer to grant access to mobile/online banking interfaces.

The validation of sensitive operations such as any self-care banking related operations (registration of a new beneficiaries, money transfer, account recovery, credentials updates), online payment transactions (3DSecure check for eCommerce transactions) and the enrolment of a payment card within third-party wallets. For example, to strike a balance between security and friction, and in the frame of specific risk assessment needs, the service can be leveraged by elevating a simple authentication step implemented by the card issuer to a strong authentication step, also called step-up authentication.

User Experience

Accessing banking interface

In this example, the authentication of the consumer to access the banking interface is initiated from a web browser interface. The consumer is notified and prompted to strongly authenticate through the mobile banking application via a push notification mechanism.

Enrolling a card on a Third Pay wallet

In this example, the validation of a sensitive operation illustrated by the enrolment of a payment card is initiated from mobile application (the third party wallet app). The consumer is redirected to the mobile banking application to perform a strong authentication challenge as an ID&V step triggered by the issuing bank to validate the card enrolment request.

Key features

Suitable authenticators

The IDEMIA Mobile Authenticator service enables banks to select the most suitable authenticators in addition to the consumer’s device, depending of the expected balance between convenience and security. The PIN code is supported, based on the Secure Remote Password protocol (SRP) which is a zero-knowledge password proof protocol, meaning that the PIN code is never sent to the server during enrollment or authentication. The usage of biometrics is also supported by relying on the OEM device sensors (fingerprint or face recognition).

Multi-channel configuration

The IDEMIA Mobile Authenticator service can be used for in-band configuration (when the consumer authentication or sensitive operation validation is initiated from the mobile banking application) and out-of-band configuration (when the main banking interface is the web browser and the mobile application is used only for authentication purpose via a push notification mechanism).

Easy integration

The IDEMIA Mobile Authenticator services rely on IDEMIA’s components hosted on Microsoft Azure Cloud offering a swift-and-easy integration based on APIs and mobile SDK qualified for iOS and Android devices.

Service Benefits

The IDEMIA Mobile Authenticator service provides banks with the following benefits:

An innovative way to fight against fraud providing a consistent authentication experience whatever the channel or the configuration.

Fast and ergonomic way to secure banking and greatly improve user experience.

Based on a SaaS platform hosted on Microsoft Azure which allows to scale the infrastructure on demand.

Ensure privacy-by-design as consumers are solely in control of their means of authentication.

Contribute in meeting PSD2 requirements and their technical translation (multi-factor authentication, dynamic linking based on the transaction context, signed proof generation, etc.).****

Integration overview

Below are the different end-points the bank needs to integrate with to benefit from the IDEMIA Mobile Authenticator service:

The Identity Provider System of the bank integrates with the IDEMIA Lifecycle API in charge of initiating enrollment and authentication processes.

The bank integrates the IDEMIA Mobile Authenticator SDK on its mobile application as front-end component in charge of interacting with the consumer through the IDEMIA Usage API.