“Financial Grade” OpenID Connect
Gluu Server 4.2 was certified to conform with the Financial Grade OpenID Provider profile. Called “FAPI” for short, this profile provides detailed requirements for the security features needed to perform payments.
Organizations can use OpenID Connect for both high and low assurance use cases. If you don’t need a ton of security, you don’t need to use all the fancy features OpenID Connect provides. But if you need more security, there are several useful risk mitigations. The FAPI profile uses signing and encryption to protect both the Openid Connect request and response, adding additional assurance and transport security.
But FAPI isn’t only for banks! If you want a lot of security, and a high level of assurance that the person authenticated is not a hacker, you may want to use the FAPI profile too.
Digital enterprises need to improve the security of their operations and protect customer data. It is common practice of aggregation services to use screen scraping as a method to capture data by storing users’ passwords. This insecure practice creates security vulnerabilities which require financial institutions to allow an automated attack against their applications and to maintain a whitelist of aggregators. A new draft standard, proposed by this workgroup would instead utilize an API model with structured data and a token model, such as OAuth.
FAPI is a working group of the OpenID Foundation, the body responsible for the development and maintenance of a family of protocol standards centered around OpenID Connect. FAPI was initiated in 2017 and sought to bring enhanced security to the new API standards being created to deliver PSD2 regulations across Europe, and one of the key drivers in open banking.
The Financial-grade API aims to provide specific implementation guidelines for online financial services to adopt by developing a REST/JSON data model protected by a highly secured OAuth profile. The Financial-grade API security profile can be applied to online services in any market area that requires a higher level of security than provided by standard OAuth or OpenID Connect.
This solution will help enterprises enable secure open banking application program interfaces (APIs) available to third parties, which can then use the APIs to seamlessly draw on customer data. Such easy data flow can help expand bank offerings and to quickly access information that would help in verifying applicants’ identities for a higher level of security.