Encryption and Authentication
A user of an embedded banking component must have a safely established connection to the FI in order to use the component.
One component on a page is designated as the component to allowAuthentication . The other components, if any, wait for that component to complete authentication before fully displaying their contents. For more information, read the Connecting with Multiple Components section in this article.
App Client Identifier
The Application ID determines which application instance is sending requests and receiving responses. There may be many instances of an application, such as dev and production environments. Every application instance that uses either a separate domain or that stores user connection information requires a separate application ID. Each application is set up by Apiture according to the FI’s needs, and more applications can be added by contacting Apiture’s team.
Each Application ID is linked to the associated set of encryption keys mentioned in the Encryption Key section.
Encryption Keys
Banking details require secure communication. Application encryption keys are issued manually by Apiture when an application is first registered. The two encryption keys includes a public key (K1) and a secret key (K2).
The K1 key is used to encrypt any data sent in a request.
The K2 is used to decrypt the payload of any response.
These encryption keys must be used for any data received or sent by the application for security purposes.
Connection Status
At any point in time, the user has one of the following connection statuses:
Disconnected – The user does not have any connection to the FI.
Connected – The component has connected to the Financial Institution (FI). The user may not be fully authenticated, preventing access to component features. Subsequently, the component may not yet be fully displayed.
Authenticated – The user has both connected and authenticated into the embedded banking component and can now fully view and use the components in the non-bank partner’s application.
While Connected and Authenticated may sound similar, they are not. Connected refers to the web component’s connection with the FI – the user does not matter. Authenticated refers to the user’s association with the component and the FI.
A component can be connected but not have an authenticated user if they have not logged in yet. A user can be authenticated but disconnected, if the connection between the FI and the component is lost after the user has logged in. This may happen during maintenance that may have taken the FI temporarily offline.
Events
Connection statuses are updated during Authentication events. When the applications starts to connect or authenticate, data encrypted with the encryption keys is sent between the FI and the non-bank partner’s application to validate user information. A piece of data representing a link or association between the Partner User’s Identity and the Financial Institution User’s Identity is created and stored by the non-bank partner.
The link is deleted when the user is logged out during the disconnection process. These events are discussed in the Initializing Components article and the Event Handling articles.
Connecting with Multiple Components
If there are multiple components on a page, they all share a connection status. The user is only able to log in using one designated component in the application, which then shares when the user has fully finished the authentication process with all of the other components. If the user logs out of one component, all of the other components also disconnect at the same time.
Silent Authentication and Connection Expiration Time
A user must authenticate with a username and password at least once. However, once the user has logged in once, they may be able to use silent authentication for a certain timeframe. Silent authentication means the user can be automatically logged in without having to type in a username and password again.
Eventually, for security purposes, the connection to the FI will expire. Apiture can configure a maximum amount of time until the component will need to reconnect, and the user will need to fully complete the authentication process again with their FI’s digital banking credentials.
Note: The user does not need to log into the non-bank partner’s system again. The connection to the non-bank partner is never controlled by the embedded component.
Silent authentication is not possible after the expiration time. Once the configured expiration time is exceeded, the user needs to reenter their passwords and/or configured alternative authentication factors.