Skip to main content

Risk-based Authentication (TS12)

The Risk-based Authentication extension enables an organisation to protect online banking login and other sensitive actions with Strong Customer Authentication using an SCA Attestation presented from the user's EUDI Wallet. The flow uses the urn:eudi:sca:login_risk_transaction:1 transaction data type defined in the TS12 Electronic Payments SCA Implementation with Wallet specification.

How it works

  1. The organisation enables the Risk-based Authentication extension from the dashboard.
  2. An administrator defines the protected actions (e.g. login, changing beneficiaries, raising a transfer limit) and the description shown to the user.
  3. When a risk engine flags an action as requiring step-up, a presentation request with an urn:eudi:sca:login_risk_transaction:1 transaction data payload is triggered using the configured presentation definition.
  4. The user reviews the action description in their EUDI Wallet and presents an SCA Attestation.
  5. The system verifies the presentation, validates the Key Binding JWT (including amr with at least two different authentication factors) and approves or denies the action.

Configuration

Protected actions

Configure which actions require SCA and the description shown to the user in the wallet:

FieldDescription
Service nameDisplay name of the service requesting authentication
ActionShort identifier of the action (e.g. login, add_beneficiary, increase_limit)
Action descriptionHuman-readable description shown in the wallet
Triggeralways or risk_based (on risk-engine signal)

Accepted SCA Attestation types

Select which attestation types are acceptable for step-up. User attestation is typically sufficient for login, while Account attestation may be required for account-scoped actions:

AttestationTypical use
User attestationLogin, session step-up
Account attestationChanges to account-scoped settings
Card attestationCard-specific actions

Integration

Once configured, the system automatically generates a Presentation Definition bound to the urn:eudi:sca:login_risk_transaction:1 transaction data type. This presentation definition can be viewed from the extension configuration page and is used when initiating step-up requests via the API.

API endpoints:

  • GET/v3/config/extension/risk-based-authentication - Retrieve current configuration
Caution: Disabling the Risk-based Authentication extension deletes its configuration. This action is not reversible.