Interfacing EUDIW (and more) to Banks

[cyberphone]

As you probably know, Open Banking standards define a set of fixed APIs including security solutions. This is a prerequisite for fast and secure rollout of new functionality,

However, most OAuth2 based APIs only standardize the communication between the OAuth2 client and the bank (ASPSP), leaving the user authentication part to proprietary solutions, typically building on the specific bank's mobile banking application.

With the EUDIW and similar bank-neutral wallets, user authentication needs a common API as well. Unsurprisingly, wallets building on OpenID4VP (and other foundations as well) are currently all over the map: some are simply replacing the proprietary authentication solutions, while some of the payment-oriented efforts have turned to approaches similar to EMV. To cope with this situation, the EU-funded Large Scale Pilots (LSPs), are currently busy designing vendor-specific "Integration Services". Although working, the scalability of such solutions is quite limited which in the end severely hampers rollout.

This issue currently lacks an "Owner". OIDF seems like a suitable candidate. FWIW, I have proposed an application- and vendor-neutral concept, but have to date received no feedback. Maybe there are other proposals in the workings?

Below is a visual description of the problem 😆

[cyberphone]

The picture below shows an example of the mentioned "Integration Services". My guess is that a disproportionate amount of time is spent on tools like this as well as on the not so simple (and unique) part needed in banks, leaving much less resources to the EUDIW than the EU (presumably) anticipated.

Note, this must not be taken as criticism of Lissi Gmbh, because everybody who have any interests in this topic have the same problem. I wouldn't be surprised if there are more than 10 [competing] connectors in the workings for the EU project alone! Given banks' risk-aversiveness to new and untested products, the most likely outcome of the Large Scale Pilots (with respect to banks), is a fairly modest set of semi-public pilots.

In "theory" an OpenID4VP interface should suffice. However, this presumes major upgrades of internal bank infrastructure including databases which is why some kind of "connector" will be required anyway. The crux is rather how to accomplish this in a secure and scalable fashion.