Skip to main content

Risk-based Authentication (TS12)

The Risk-based Authentication extension enables an organisation to protect online banking login and other sensitive actions with Strong Customer Authentication using an SCA Attestation presented from the user's EUDI Wallet. The flow uses the urn:eudi:sca:login_risk_transaction:1 transaction data type defined in the TS12 Electronic Payments SCA Implementation with Wallet specification.

How it works

  1. The organisation enables the Risk-based Authentication extension from the dashboard.
  2. An administrator defines the protected actions (e.g. login, changing beneficiaries, raising a transfer limit) and the description shown to the user.
  3. When a risk engine flags an action as requiring step-up, a presentation request with an urn:eudi:sca:login_risk_transaction:1 transaction data payload is triggered using the configured presentation definition.
  4. The user reviews the action description in their EUDI Wallet and presents an SCA Attestation.
  5. The system verifies the presentation, validates the Key Binding JWT (including amr with at least two different authentication factors) and approves or denies the action.

Configuration

Transaction data

The verification request carries an urn:eudi:sca:login_risk_transaction:1 transaction data object describing the action the user is authenticating:

FieldTypeDescription
transaction_idStringUnique identifier for the authentication transaction
date_timeDateTimeTimestamp of the authentication request
serviceStringName of the service requesting authentication
actionStringShort identifier of the action (e.g. login, add_beneficiary, increase_limit)

Integration

Once configured, the system automatically generates a Presentation Definition bound to the urn:eudi:sca:login_risk_transaction:1 transaction data type. This presentation definition can be viewed from the extension configuration page and is used when initiating step-up requests via the API.

API endpoints:

  • GET/v3/config/extension/risk-based-authentication - Retrieve current configuration
Caution: Disabling the Risk-based Authentication extension deletes its configuration. This action is not reversible.