Strong Customer Authentication (SCA)

Strong Customer Authentication (SCA) is a Two-factor authentication and used to certify the origin and the content on some specific API request related to sensistive operation or data (account login, transactions, card details, etc.) This is mandatory by PSD2 regulation.

To enforce this two-factor authentication, LinkCy relies on

  • a trusted device
  • either a PIN or Biometrics

These requirements are achieved with a mobile SDK which has to be included in the Partner mobile App. To use this SDK, check the SCA SDK page.
This SDK will ensure that the device is a trusted one, and will aslo handle the PIN or Biometrics authentication.

Once the SDK is implemented, trusted device has to be declared for each enduser : see Device onboarding.
Then, each "SCA eligible" API endpoint will require a specific flow, to ensure that SCA is performed and validated : see Secure API requests.

Device onboarding

To onboard a device, use the "Onboard a known mobile" endpoint.
You will have to provide :

  • the device endpointId, defined in the SCA-SDK.
  • the factor to be used : PIN or BIOMETRY (you can add another factor later)
  • the strategy : PUSH_NOTIFICATION or JOIN_CODE. This is specific to your implementation of the SCA.
  • the endUserId whom the device is belonging to.
If successful, a scaDeviceId will be created and linked to the consumer.
SCA request can now be performed for this enduser.

Only one trusted device can be onboard per enduser so far.

You can also onboard another factor (PIN or BIOMETRY) with the "Add an authentication Factor" endpoint.
The SCA can then be performed with either PIN or BIOMETRY factor.

Secure API requests

API requests which require SCA will be done in 2 steps :

  1. Prepare SCA operation : You have to request the API endpoint a 1st time with the SCA headers (Linkcy-SCA-Strategy, Linkcy-SCA-Factor) and the operation Payload.
    This will trigger the endUser challenge through the SDK.
    In response, you will receive a 202 code with a scaId. Keep this scaId as it will be mandatory for the 2nd step.
  2. Perform SCA operation : You have to request the same API endpoint, with same paramters and payload, but this time include the scaId in Linkcy-SCA-Id header.
    If the challenge is OK, the operation will be performed and the response will be a 200, 201 or 204 code.
    If the challenge is not yet completed, response will be a 409 code, with errorCode : SCA_INTERACTION_NOT_COMPLETED. It means that you should retry the request until the challenge is finished.
    You can also avoid too many retries by having the mobile API indicating when the challenge has been answered. The mobile won't know if the challenge is succesful, only that it has been answered, so you might have to do some retries anyway.

Here is a generic sequence diagram for a SCA API request :

MobileSDKPartnerLinkcyRequest Sensitive OperationPrepare SCA operation (type, payload)ScaIDChallengeCustomerChallengeDisplay Challenge UIAnswer ChallengeChallengeResponseChallenge answeredopt[Optional indication from mobile]perform operation (payload) + ScaIDcode 409 : SCA_INTERACTION_NOT_COMPLETEDperform operation (payload) + ScaIDloop[While authentication is not completed]Operation Reponse (code 200,201 or 204)MobileSDKPartnerLinkcy

Failures

Here are the errors you can receive

SCA errors If a device or a factor is not onboarded and you try an API request involving SCA, you will receive 409 - SCA_DEVICE_NOT_SET or 400 - SCA_FACTOR_NOT_SET error.If the SCA was failed, error will be 409 - SCA_INTERACTION_DECLINED.

SCA Bypass

In some specific cases, SCA can be Bypassed, using the BY_PASS option in Linkcy-SCA-Strategy.
In this case, no SCA will be required and the operation will be performed.

Check with your contacts at LinkCy to know more about this.

In Sandbox environment, SCA can be bypassed on every endpoint