FRICTIONLESS ADAPTION OF PAYMENT SERVICES DIRECTIVE (PSD2) WITH WSO2
Pushpalanka JayawardhanaSenior Software EngineerApril 06, 2017
WSO2
2
● Founded 2005● 450+ employees (300 engineers)● 375+ customers (120 new in 2016)● Global offices
○ Mountain View, New York, London, Colombo, São Paolo● 100% open source● Deploy anywhere: on-premise or cloud
OVERVIEW
4
● Payment Services Directive 2 (PSD2)○ Background○ Objectives and Effects○ Security Implications
● WSO2 Identity Server (IS)○ Objectives○ Application Authentication Framework
■ Brief Architecture○ Capabilities in the direction of PSD2
■ Multi-factor authentication, Fine grained authorization, Federation...
● Use case demonstration with WSO2 IS and WSO2 API-M
PAYMENT SERVICES DIRECTIVE 2 (PSD 2)
● A new European regulation● PSD2 published in 2016 Jan as the successor of PSD● Expected to become a law by 2018 January● Directly affects payment service providers and banks● Enforces a secure mechanism for customers to authorize a third party
provider(TPP) to have direct access to:❏ Account and transactional data❏ Make and authorize payments
● Technical guidance EBA - Regulatory Technical Standards on Strong Customer Authentication and common and secure communication under Article 98 of (PSD2)
Background
5
PAYMENT SERVICES DIRECTIVE 2 (PSD 2)Objectives and Effects
6
● Making electronic payments more secure
● Establish a platform for effective and integrated payment services
● Provide openness required for innovations in the domain, with enhanced competition.
PAYMENT SERVICES DIRECTIVE 2 (PSD 2)
● Two factor Authentication● Strong authentication is required with at least two factors from below,
■ Knowledge factors (username and password, pin)■ Possession factors (mobile, security device, token generator)■ Inherence factors (fingerprint, voice, iris pattern)
● Adaptive Authentication● Access delegation with explicit user consent● Fine grained authorization● Open secured APIs for payment initiation and account information● Secured Communication● Fraud detection and audit logs
Security Implications
7
PAYMENT SERVICES DIRECTIVE 2 (PSD 2)
“Draft Regulatory Technical Standards, explicitly mentions to be based on known standards”● User authentication (with SSO)
○ SAML 2.0○ OpenID Connect
● Access delegation - OAuth 2.0● Fine grained authorization - XACML● Multifactor authentication - SMSOTP, FIDO, DUO, MePin
Technology Requirements
8
WSO2 IDENTITY SERVER (IS)
● Supports multi-factor, multi-option authentication○ Connectors store - https://store.wso2.com/store/assets/isconnector/list
■ MePin, SMSOTP, FIDO, DUO and much more● Standards SAML 2.0, OAuth2.0, OpenIdConnect, XACML3.0, SCIM● User Mgt - LDAP, Active Directory, JDBC ...● Federation framework for
○ Authentication○ User provisioning○ Identity protocol mediation
● Workflows● Analytics with Identity Analytics Server
Capabilities in the direction of PSD2
9
12
FINE GRAINED AUTHORIZATION
● In the Authentication Flow
○ WSO2 IS can support fine grained authorization with XACML 2.0/3.0
○ User authentication decision can be affected by other factors
■ Eg. In a specific time interval, users cannot login
● In the API calls
○ WSO2 AM can intercept the flows to apply fine grained authorization
○ Consume authorization decisions from IS, acting as a PEP
■ Eg. API response can be further customized according to user attributes.
● If the user belongs to ‘Platinum’ tier let them take online loans below an
amount x.
13
WSO2 IDENTITY SERVER ANALYTICSLogin Analytics / Session Analytics
● Track success/failed login attempts by user/service provider/identity provider.● Detect anomalous login behavior.● Track all the sessions in the system by user and the duration of the session