Open Standards: the Foundation for Open Business


Open Standards: the Foundation for Open Business

Identity standards matter. This statement is nothing new to those of us in the identity and access management world. We have known this and believed this for well over a decade. This year, however, marks a milestone that is worth talking about – identity standards finally matter, I mean really matter to the business world. The most clear example of this can be found in the world of open banking in the UK, where identity standards have finally converged with the business mainstream.

Open banking is about banks opening their APIs to 3rd parties allowing them to provide new value added services, more innovation, and more choices to customers. The concept of using APIs to give customers convenience isn’t really new as Facebook has been using it for years to allow third parties to give customers streamlined registration and sign-on experiences. Open banking, however, is a fundamental shift in an entire industry that is driven by this model and maybe more importantly, standards such as OAuth and OpenID Connect provide the secure foundation to make this work.

Let’s take a look at 3 examples of how standards power Open Banking and lay the groundwork for a new open era in business.

First, access to APIs needs to be secured for any financial data to be exchanged safely. OAuth 2.0 provides the best mechanism to meet this requirement through the use of access tokens to secure access to APIs. The OAuth 2.0 authorization code flow provides the added security needed for financial transactions whereby the client is first issued an authorization code that is exchanged in a back channel call for an access token that is then used in requests to the APIs.

Second, the bank must only give access to the account information through strong authentication and consent of the customer directly. This also works well with the OAuth model whereby the 3rd party client redirects the user directly to the bank for both authentication and transaction consent, never sharing or revealing any credentials to the 3rd party. This is in contrast to how the popular Intuit Mint service gains access to customer accounts on behalf of their users by vaulting and then replaying the customers various credentials across financial institutions. In Mint’s defense, they do now support OAuth, but are at the mercy of banks to support this model.

Finally, beyond basic authentication and consent, the 3rd party client likely would want to request additional information about the user from the bank. OpenID Connect is an identity layer built on top of OAuth 2.0. It provides profile information about the end user in the form of an ID Token.

Open banking is just the beginning of a new age in commerce where the individual is at the center of everything. We own our own data, manage our own consent, and dictate who can have access to what. Banking, healthcare, government, and retail are all beginning to see the value to this new way of thinking and identity will play a leading role in making it reality.

 

By Matt Klassen
Director of Product Marketing, Ping Identity

View More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Put the candy hearts away. We have something you’re really going to love! With 4 months to go, we can’t think of a better way to share the love this #ValentinesDay than giving the gift of #Identiverse! Use code: "identiverselove" by Feb 16 to get 50% off! https://t.co/qgjYZR0vJ2

As the @FIDOAlliance continues to strive for a stronger #authentication world w/o #passwords, the rapid adoption of the #FIDO2 standard is showing a lot of promise. Read this #Identiverse blog for FIDO2 specs & how it’s enabling deployment at scale. https://t.co/KD5RehxToS

Identity pros - find the DC area @WomeninID you work with and encourage them to come meet their industry peers next week. A little bit of time spent could have great results! https://t.co/WRJ8cZdoGn

Many people have asked how #Identiverse continually produces an identity industry conference agenda that sets the bar so high. So from our CFPs to committee review to speakers taking the stage, here’s how it works. @andrewhindle https://t.co/hTVcrnEyDL

Great week planning Identiverse’19 and beyond. Big welcome to the wonderful new members of our community who are going to be helping this year (and hopefully in future years too)! Looking forward to seeing you all in D.C. in June...

Load More...

Enter your details to receive email updates from Identiverse