Authentication
/
Strong customer authentication (SCA)
Last updated

Strong customer authentication (SCA)

SCA is a two-factor authentication method used to certify the origin and content of specific API requests related to sensitive operations or data (account login, transactions, card details, etc.). This is mandatory under the PSD2 regulation.

To enforce this two-factor authentication, LinkCy relies on:

  • a trusted device
  • either a PIN or biometrics

These requirements are achieved with a mobile SDK which has to be included in the partner's mobile app. To use this SDK, check the tools > SDK page.

This SDK will ensure that the device is trusted and will also handle the PIN or biometrics authentication.

Once the SDK is implemented, trusted device has to be declared for each enduser : see Device onboarding.

Then, each "SCA eligible" API endpoint will require a specific flow, to ensure that SCA is performed and validated : see Secure API requests.

Device onboarding

To onboard a device, use the "onboard a known mobile" endpoint.

You will have to provide:

RequestType
endpointIdDefined in the SCA-SDK.
factorPIN or BIOMETRY (you can add another factor later)
strategyPUSH_NOTIFICATION or JOIN_CODE. This is specific to your implementation of the SCA.
endUserIdUser whom the device is belonging to.

If successful, a scaDeviceId will be created and linked to the consumer.

SCA request can now be performed for this enduser.

Only one trusted device can be onboard per enduser so far.

You can also onboard another factor (PIN or BIOMETRY) with the "add an authentication Factor" endpoint.

The SCA can then be performed with either PIN or BIOMETRY factor.

Secure API requests

API requests which require SCA will be done in 2 steps :

  • Prepare SCA operation:

You have to request the API endpoint a 1st time with the SCA headers (Linkcy-SCA-Strategy, Linkcy-SCA-Factor) and the operation Payload. This will trigger the endUser challenge through the SDK.

In response, you will receive a 202 code with a scaId. Keep this scaId as it will be mandatory for the 2nd step.

  • Perform SCA operation:

You have to request the same API endpoint, with same parameters and payload, but this time include the scaId in Linkcy-SCA-Id header.

If the challenge is OK, the operation will be performed and the response will be a 200, 201 or 204 code.

If the challenge is not yet completed, response will be a 409 code, with  errorCode : SCA_INTERACTION_NOT_COMPLETED. It means that you should retry the request until the challenge is completed.

You can also avoid too many retries by having the mobile API indicating when the challenge has been answered. The mobile won't know if the challenge is successful, only that it has been answered, so you might have to do some retries anyway.

Diagram

Here is a generic sequence diagram for a SCA API request :

MobileSDKPartnerLinkcyDisplay Challenge UIopt[Optional indication from mobile]loop[While authentication is not completed]Request Sensitive OperationPrepare SCA operation (type, payload)ScaIDChallengeCustomerChallengeAnswer ChallengeChallengeResponseChallenge answeredperform operation (payload) + ScaIDcode 409 : SCA_INTERACTION_NOT_COMPLETEDperform operation (payload) + ScaIDOperation Reponse (code 200,201 or 204)MobileSDKPartnerLinkcy

Failures

Here are the errors you can receive

ErrorHeader paramCodeDescription
SCA_REQUIREDLinkcy-SCA-Strategy409 conflictThe operation requires SCA. Can be returned if you try to use BY-PASS while not allowed. Will be returned if strategy is FAIL.
SCA_DEVICE_NOT_SETLinkcy-SCA-Strategy409 conflictThe operation requires SCA and strategy allow it, but the user has no sca device set up. You need to enroll one first.
SCA_FACTOR_NOT_SETLinkcy-SCA-Factor400 Bad requestThe user has a sca device set up, but the factor requested is not enrolled yet. You must either enroll it or change the factor.
SCA_INTERACTION_NOT_FOUNDLinkcy-SCA-Id404 not foundThe specified id could not be found.
SCA_INTERACTION_NOT_COMPLETEDLinkcy-SCA-Id409 conflictThe SCA interaction is not completed (pending).
SCA_INTERACTION_DECLINEDLinkcy-SCA-Id409 conflictThe SCA interaction was declined by user or expired.
SCA_INTERACTION_ALREADY_CONSUMEDLinkcy-SCA-Id409 conflictThe SCA interaction has already been used, you need to create a new one.
SCA_INTERACTION_DOES_NOT_MATCHLinkcy-SCA-Id409 conflictThe SCA interaction does not march the one you are trying to make. Body or url is different.

If a device or a factor is not onboarded and you try an API request involving SCA, you will receive 409 - SCA_DEVICE_NOT_SET or 400 - SCA_FACTOR_NOT_SET error.

If the SCA was failed, error will be 409 - SCA_INTERACTION_DECLINED.

SCA bypass

In some specific cases, SCA can be Bypassed, using the BY_PASS option in Linkcy-SCA-Strategy.

In this case, no SCA will be required and the operation will be performed.

Check with your contacts at LinkCy to know more about this.

In Sandbox environment, SCA can be bypassed on every endpoint.

Previous page
Next page