Open Standards: the Foundation for Open Business
Identity standards matter. This statement is nothing new to those of us in the identity and access management world. We have known this and believed this for well over a decade. This year, however, marks a milestone that is worth talking about – identity standards finally matter, I mean really matter to the business world. The most clear example of this can be found in the world of open banking in the UK, where identity standards have finally converged with the business mainstream.
Open banking is about banks opening their APIs to 3rd parties allowing them to provide new value added services, more innovation, and more choices to customers. The concept of using APIs to give customers convenience isn’t really new as Facebook has been using it for years to allow third parties to give customers streamlined registration and sign-on experiences. Open banking, however, is a fundamental shift in an entire industry that is driven by this model and maybe more importantly, standards such as OAuth and OpenID Connect provide the secure foundation to make this work.
Let’s take a look at 3 examples of how standards power Open Banking and lay the groundwork for a new open era in business.
First, access to APIs needs to be secured for any financial data to be exchanged safely. OAuth 2.0 provides the best mechanism to meet this requirement through the use of access tokens to secure access to APIs. The OAuth 2.0 authorization code flow provides the added security needed for financial transactions whereby the client is first issued an authorization code that is exchanged in a back channel call for an access token that is then used in requests to the APIs.
Second, the bank must only give access to the account information through strong authentication and consent of the customer directly. This also works well with the OAuth model whereby the 3rd party client redirects the user directly to the bank for both authentication and transaction consent, never sharing or revealing any credentials to the 3rd party. This is in contrast to how the popular Intuit Mint service gains access to customer accounts on behalf of their users by vaulting and then replaying the customers various credentials across financial institutions. In Mint’s defense, they do now support OAuth, but are at the mercy of banks to support this model.
Finally, beyond basic authentication and consent, the 3rd party client likely would want to request additional information about the user from the bank. OpenID Connect is an identity layer built on top of OAuth 2.0. It provides profile information about the end user in the form of an ID Token.
Open banking is just the beginning of a new age in commerce where the individual is at the center of everything. We own our own data, manage our own consent, and dictate who can have access to what. Banking, healthcare, government, and retail are all beginning to see the value to this new way of thinking and identity will play a leading role in making it reality.
By Matt Klassen
Director of Product Marketing, Ping Identity