In order to promote the use of FIDO and to help standardize the user experience, the FIDO Alliance has written some guidelines about how to display information related to FIDO when using it on a website.
However, these guidelines are mainly constructed around the use of FIDO for account log-in. In the case of transaction validation and two factor authentication using WAFL, some of the recommendations are not really applicable.

You will find here what we could extract from this official documentation that is relevant to apply in our context and that we used in our demonstration.

FIDO during the user journey - Our interpretation

• Until the user is logged-in, no change on the website.
• Once the user is logged-in, on the their main dashboard, advertise the fact that a new way to Authenticate payments is available, and link to the settings to enable it, but only if the device supports FIDO.
  (see how to check that in the implementation guide)
  Do not mention FIDO yet, but only biometrics.
  Use a fingerprint icon matching the user platform : Apple icon for Mac and iOS; generic icon for other platforms.
• In the user settings, the section dedicated to FIDO activation should :
  • Use proper biometrics icon.
  • Start mentioning FIDO.
  • Offer registration only on supported device.
  • Mention that even though it is supported, it might be necessary to enable it in the device settings, and indicate how to do so. (Ex: Windows Hello can be disabled, but FIDO will appear as supported by the device)
  • Insist on the benefits of using FIDO : it's faster and it's simpler.
  • Display the FIDO logo.
  • At the bottom, add a link to display some FIDO key facts, as provided in the official guidelines.
• During transaction validation, if the user used an other validation method, invite the user to register FIDO after a successful transaction if their device is not registered yet.
•  

Official extracts

Information about Security Keys

• What is a security key?

  A security key is a small, physical device that works in addition to your password on sites that support it. A single key can be used with multiple accounts or sites.

• Why should I use a security key?

  Security keys protect you against imposter websites that try to steal login credentials (like usernames and passwords). Other forms of 2-factor authentication (including text, email, messages, authenticator apps, and push notifications) do not give you the same level of protection as a security key.

• How security keys work

  You must first add security keys using the button above. Once added, you'll be required to use them after signing in with your username and password. Doing this creates one of the strongest forms of authentication available to protect your account.

  • What security technology do security keys use?

    Most keys use an authentication "standard" called FIDO® which allows for secure authentication without drivers or software. When a user signs in a website with a key, FIDO® cryptographically signs a challenge from the browser that verifies the website's actual domain name, which provides strong protection against phishing (e.g., when a fake website is used to trick users into sharing personal information). An attacker would need to control the website domain name or the browser to get a usable signature from the key.

• Why do security keys look like thumb drives?

  Although hardware security keys may resemble thumb drives and are sometimes inserted into your computer's USB port, they are not storage devices. Your personal information is not trackable or linkable across sites or online accounts when using a security key.

• What happens if my security key gets stolen?

  The key works in addition to your password, not as a replacement for it. If someone steals the key, they still can't get into your bank account without knowing your password (or which sites are registered with your key). You can sign in with a backup method and remove the stolen key from your account.

• Add more than one security key

  Adding multiple security keys is highly recommended. If your security key is lost or stolen and you do not have a registered backup security key (or other backup authentication method), access to your account could be interrupted while we verify your identity. We recommend keeping one key easily accessible and another stored separately in a safe space.

• Purchase security keys

  Security keys vary by manufacturer and can be purchased from mainly online retailers. We recommend FIDO certified keys. See a list of FIDOⓇ certified keys.

• Name your security keys

  Give you security key a friendly "nickname" that only you can see, so you know which key you registered with this account at a later point in time.

Information about Device Unlock

• How device unlock works

  A technology called FIDO lets you sign in securely without relying on a password. Once you've registered your computer's PIN, facial recognition, fingerprint, or security key, FIDO verifies it's really you and doesn't transmit any of your login information over the internet.

• Why use device unlock

  Easy, safe—and private! FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

• More information

  Registering with FIDO provides you with an additional login option for this device—your password remains valid.

Learn more content

This part contains the information that could be used in any "Learn more" link, tooltip, popup to be displayed under the FIDO icon under Registration or Authentication buttons.

FIDO lets you sign in securely without relying on a password by keeping your login information securely on your device. Nowhere else.

How it works ?

1. A technology called FIDO lets you sign in securely without relying on a password.
2. FIDO makes signing into your online accounts much easier, while keeping your info safe from hackers.
3. Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your login information over the internet.
4. Easy, safe—and private!
5. Registering with FIDO provides you with an additional login option for this device—your password remains valid.
6. Leading companies worldwide in retail, telecommunications, finance and technology are already using FIDO.

FIDO Facts content

This part contains some facts elaborated after some studies involving final users that are designed to improve trust in FIDO.

• FIDO is a technology built into all leading desktop devices (PC and Mac) and browsers, that allows users to sign in securely without a password.
• In the same way your phone uses a biometric, FIDO now enables biometric sign-in on websites viewed on your desktop too.
• FIDO makes sign-in easy, safe, and private!
• FIDO technology uses your computer’s built-in authentication method (i.e., Windows Hello or Apple Touch ID) to ensure your sign-in information stays safe from hackers because it never leaves your computer.
• Once you’ve registered your computer’s PIN, facial recognition, fingerprint, or security key, FIDO verifies it’s really you and doesn’t transmit any of your sign-in information over the internet.
• Registering with FIDO provides you with an additional sign-in option for this device — your password remains valid.
• Leading companies worldwide in retail, telecommunications, finance, and technology are already using FIDO.

What is FIDO ?

FIDO (Fast Identity Online) main purpose is to reduce the use of passwords and improve authentication standards on desktop and mobile devices. FIDO is designed to protect personal security and privacy because private keys and biometrics, if used, never leave a person's device. You can swipe a fingerprint or enter a one-time PIN, for example, without needing to remember a complex password. FIDO is also supported by major browsers and operating systems.

What is Worldline solution ?

Worldline is proposing FIDO2 Webauthn solution for web in order to provide 2-Factor Authentication with a simple and pleasant user experience. The solution is fully standardized and combine a possession factor with the following list of authenticators :

Authentication factors compatible with FIDO 2​

• Fingerprint (with device sensor)​
• Face recognition ​
• PIN of the operating system (Windows, iOS…)​
• FIDO hardware tokens
• Memorized path

Integration modes​

Pop-up (managed by the browser via WebAuthn…)

Delivery modes

Full API mode

Main features

Biometrics from any device

All the biometric sensors can be used :  fingerprint computer’s  sensor, mobile’s biometric sensors, camera…

Multi-use cases​

FIDO authentication can suits any use case. (online banking use cases, 3DS use cases, with emvCO2.3 and SPC, delegated authentication…)

Frictionless UX​

No app or plug-ins are needed to be installed from the user.

How does it works ?

Here are the components of the solution.

On the device is the Relying Party (RP) Application that runs in the browser. The application calls for WebAuthn APIs to reach FIDO authenticators.

The RP Application calls the RP App Server to perform FIDO Authentication. The RP App Server is linked to the application that manages the FIDO authentication context.

The RP App Server calls the WL FIDO Server, which is a shared certified server that manages FIDO enrolment and authentication.

Architecture of the authentication process

How does it look ?

Step 1

Before validating a transaction, you can check the context. Click on “validate” to start the authentication.

Step 2

Scan your finger on the biometric sensor to authenticate your transaction.

Step 3

If your fingerprint is recognized, you are authenticated.

Step 4

Your transaction is validated.

What does Worldline offer ?

The solution relies on the certified FIDO Server by Worldline that manages the enrollment and authentication. This service is used by APIs. Any Relying Party Application Server that is known by the FIDO Server by Worldline can perform FIDO operations.

On the browser side, either the client application makes the calls to the WebAuthn APIs, or it can use the proposed Worldline SDK.

STEP 1: Select your Product 
Depending on your use case you might be interested in one or multiple of our Open Banking products. Feel free to browse the information on our Website and Developer Portal to understand how we can contribute to your success and assess the required integration effort. We recommend checking out the Terminology Section before accessing the API documentation. 

STEP 2: Assess Easiness of Integration
We have prepared a couple of sandbox scenario's for Payment and Data which you can use to get an idea of our solution without any development on your end. Simply use a set of predefined tokens and play around with the APIs directly in the developer portal.

STEP 3: Get your Quote 
Contact us to get a product demo and a tailor-made quotation. Please include the name of the product(s) that you are interested in, in what countries your users are located, and estimated volumes. Shortly after we will provide you with a custom quote. 

STEP 4: Access your Test Environment
We will set you up to access our Test Environment where you can test your development. In case you have your own PSD2 license, we will need to obtain your eIDAS certificates and register you with the selected banks. We included a Postman collection / Curl examples to help you with integration testing.To get an idea how easy it is to implement our Open Banking API, you do not need to write a single line of code. Simply use a set of predefined tokens and play around with the APIs directly in the developer portal. Once you are ready to start implementation on your side, our Support team will provide you with your application key and client secret that you will you to obtain a token for the sandbox environment.
You already would like to kick off your onboarding or you might have further questions? We are there to support you in case of any questions.  

STEP 5: Go Live
Once the commercial agreement is signed and integration testing is completed, we will provide you with production credentials. We recommend performing a small pilot to ensure smooth user experience in a live environment. Your setup (Tenant Setup) is done by Worldline, while the Merchant and Sub Merchant Setup can be managed by yourself via Back Office (a set of screens which can be offered white labeled) or via Merchant Subscription Management API (useful if integration with an existing CRM system is desired).

Do not hesitate to contact us in case you have any queries related to technical implementation or you would like to receive a quotation.
We are there to support your growth!

A

Account-to-Account Payments
is a variable and configurable solution that allows merchants and acquirers to facilitate payments directly from a customer’s bank account. 

Account Validation 
allows any company to verify the account number. The service can be used whenever you need to collect user’s IBAN to prevent fraud or manual errors. 

AIS
Account Information Service: AIS is an online service for providing consolidated information on one or more payment accounts held by a payment service user with one or more other payment service providers, this means they can obtain an overview of their financial situation. Account information service providers can categorize expenditure, which also offers users a better insight into their spending patterns.

AISP
Account Information Service Provider is authorized to retrieve account information from financial institutions - with the consent of the user. This  can be a bank or a payment institution, that offers Services according to  PSD2.

Example: Finance Management: AISPs support retail clients in tracking and managing their financial situation, support them in possible investment decisions etc. by collecting their financial information.

ASPSP
The Account Servicing Payment Service Provider holds bank accounts in charge of their customers (see also PSU) and provides access to account holder's bank account to AISPs and PISPs.

B

Bank Connect
enables banks to initiate payments on behalf of their retail or business clients to move funds between own accounts or to pay others.

BVN
Betaalvereniging Nederland (Dutch Payment Association)

I

iDEAL 
It is Dutch online payment method that enables consumers to pay online through their own bank. 

iDEAL Hub
is a solution owned by Currence which provides a unified iDEAL experience. It's connected to the ASPSP's which provide the iDEAL 2.0 product.

Initiating Party
The Initiating Party contracts the TPP for the Open Banking Services, and can send requests on behalf of the PSU to the Worldline Open Banking Platform.

Initiation Service (aka Bank Selection Interface)
The Initiation Service is a way of Integration Worldline core XS2A PSD2 service through the dedicated Worldline Payment or Account data GUI. It is represented by a page, which allows the PSU to select his country and bank (ASPSPs) and complete his authentication and authorization process towards it in order to provide his consent for the  core PSD2 services PIS and AIS. All subsequent flows between ASPSP and the Initiation Service are handled by Initiation Service, without involvement of Initiating Party (e.g. the merchant).

O

OBeP
Online Banking ePayments: A payment network, created to fulfill the unique requirements of payments processed via the internet (ePayment). In order to authenticate the sender and the recipient it makes use of digital certificates and secure electronic transaction (SET) protocol.

Open Banking Services
The 'Open Banking Service' refers to Worldline Open Banking Platform which handles the routing of the messages.

P

PISP
Payment Initiation Service Provider is authorized to initiate payments into or out of an consumer’s bank account - on the behalf of a customer. PISPs are allowed to withdraw money directly from the customer's account, as long as the customer has given his consent. 

PIS
Payment Initiation Service: PISPs can initiate payments on behalf of their clients - from or to customer's bank account depending on the use case.
Typically payer needs to select their bank account, authenticate themselves to the bank and approve the payment.

PSD2
Second Payment Services Directive: Under PSD2 banks and institutions, who are account holder have to provide APIs for (licensed) external services providers. So their payments infrastructure and customer data will be opened for TPPs.

PSU
The Payment Service User (PSU) is an account holder in one or more ASPSPs and allows other parties to initiate payments requests and to pull account data.

R

Routing Service
The Routing Service allows sending transactions to the optimal payment gateway based on selected parameters.
Possible scenario for iDEAL transactions: The Customer calls the Routing Service via one of the Initiating Party’s connections. The Routing Service checks the transaction request and forwards the request to the Customer’s Bank. The response message from the Customer’s Bank contains a redirect URL, which is used by the Initiating Party to redirect the customer to the Customer’s Bank. The Customer confirms the request in his well-known online banking application. After that, the Customer is redirected to the Initiating Party. 

S

SCA
Strong Customer Authentication: Due to PSD2 introduced in 2019 to improve security in payment transactions. (A customers accesses his account online and initiates an electronic payment.) In sense of SCA each authentication should use a combination of two factors from the categories “knowledge” (password, code, PIN), “possession” (token, smartphone) and “inherence” (fingerprint, voice recognition).

T

Tenant
A Tenant is typically licensed as AISP or PISP:

The AISP Tenant is authorized to retrieve account information from financial institutions - with the consent of the customer. This can be a bank or a payment institution, that offers Services according to PSD2.

The PISP Tenant is authorized to initiate payments into or out of an consumer’s bank account - on behalf of a customer. PISPs are allowed to withdraw money directly from the customer's account, as long as the customer has given his consent. 

Tenant Setup
Worldline takes the steps to set up tenants (AISPs or PISPs) in the system due to their requirements, such as for example : 

Which services (PIS, AIS, PSU, Ideal 2.0) should be available? Which user roles are needed and which modules should be made available? Questions on permission control, content style, on translations etc. 

TPP
The Third Party Provider is an intermediate between Initiating Parties and ASPSPs and provides an interface used by the Initiating Party.

X

XS2A
Access to Account: XS2A Services enable Third Party Service Providers (TPP) to get access to consumer bank accounts. The framework is based on PSD2 - the European Banking Authority Regulatory Technical Standards requirements. The European Central Bank provides detailed information on PSD2: ECB Europe

Worldline Open Banking products are developed on top of Worldline Open Banking Platform. All products wrapped up on one central interface supported by user friendly bank selection dialogue. We offer simplified access to 3500 banks.

Open Banking Platform consists of several elements that you might use depending on the use case:

1. Access management module to define who can access Open Banking services. We setup your access rights during onboarding phase while you can manage the access rights of your clients (aka initiating parties) if applicable.

2. Authorization module to provide your public certificate and retrieve authorization token.

3. Open Banking API to pull account data and initiate payments using your or Worldline's PSD2 license.

4. Reach directory to review a list of supported banks and implementation differences between the banks

5. Predefined bank selection screens for better user experience and faster go live.

6. Notifications API to get notified on events that you subscribed for (e.g. payment status change).

7. Back office portal allowing to onboard and manage your clients, view transactions and create refunds.

8. Credit scoring portal allowing to search credit scoring requests and view data used for the calculation. 

9. Refund API helping merchants to issue account based refunds for a payment processed via Open Banking API.

To implement our products, you will need to check documentation of of each one of the relevant sections:

You can get in touch with us to receive your quotation and for implementation support.