You can integrate Identity as a Service for PSD2 compliance with European Banking Authority (EBA) Regulatory Technical Standards for Strong Customer Authentication, Article 98 of Directive 2015/2366 (PSD2) (see Article 5, Dynamic Linking).
Dynamic linking is available using an Identity as a Service Authentication API application with the following authenticators: OTP, Smart Credential, Entrust Soft Token, and Token (for tokens that support signature).
The standard states that when a digital one-time password (OTP) is used to verify a transaction, the following conditions must be met:
The payer must be made aware of the amount of the payment transaction and the payee.
Identity as a Service OTPs meet this condition by default when transaction details are provided.
Identity as a Service token signatures meet this condition when the transaction detail values are included as part of the generated signature used as the OTP.
The OTP must be specific to the transaction; the OTP cannot be used for any other kind of authentication.
See "To enable dynamically linked OTPs" to generate this transaction-specific OTP.
For Identity as a Service token signatures, the transaction detail values must be specific to the transaction. At least one of these values should be unique in some way such that it is not used with another transaction signature.
No changes can be made to the amount or the payee or the OTP becomes invalid.
Identity as a Service OTPs meet this condition by default.
Identity as a Service token signatures meet this condition as the amount and payee transaction details values are included in the generated signature used as the OTP.
The Smart Credential app and Soft Token mobile apps include automatic transaction verification and meet these conditions automatically.
To enable dynamically linked OTPs
Configure OTP authentication settings, as required. See Manage One Time Password (OTP) settings in the IDaaS Administrator Online Help. The OTP authentication settings used for standard OTP authentication are the same ones used for dynamically linked OTPs.
Note: Ensure that the settings for OTP Length and Cell Alphabet are not so limited that it increases the risk of the same OTP being generated more than once. Default settings should be appropriate.
When using Identity as a Service OTPs, the only difference that users will see when using a dynamically linked OTP is that the text message, voice message, or email that delivers the OTP includes the OTP and a list of corresponding transaction details. An attacker who attempts to modify any of the details in the transaction will find that the OTP has become invalid.
When using Identity as a Service token signatures, the transaction detail values MUST be included in the generated signature used as the OTP.
When using Smart Credential or Soft Token mobile apps, users see the list of corresponding transaction details on their mobile device.
Note: See the Entrust Identity as a Service Authentication API Developer Guide for more details.