Dynamic Linking

You can leverage the Keyless authentication mechanism to sign unrelated transactions, including Strong customer authentication (SCA) transactions.

Payment service providers compliant with SCA PSD2 dynamic linking are required to:

• Generate an authentication code specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction

• Make the payer aware of the amount of the payment transaction, and of the payee

Keyless helps you by:

• protecting the authentication code that you use for dynamic linking.

• displaying and signing the information to make the payer aware of details of the transaction.

Strong customer authentication (SCA)

By adding Keyless to your checkout flow you also benefit from Keyless Passwordless Multi Factor Authentication (MFA).

SCA requires authentication to use at least two of the following three elements.

• Something that only the customer knows. For example, a password or PIN.

• Something that only the customer has. For example, a mobile phone or hardware token.

• Something that the customer is. For example, a biometric such as a fingerprint or face.

With Keyless Passwordless MFA you can satisfy the last two points from the list above.

SCA Compliant Dynamic Linking

The following sections contain some examples on implementing SCA with Keyless.

Display transaction information

Keyless displays a screen containing a list of labels and associated information on your behalf. For this reason, the format of the dynamicLinkingInfo must be a jsonArray containing jsonObjects (key/value pairs). We expect a valid JSON as follows:

[
    {key1 : value1},
    {key2 : value2},
    ...
    {keyN: valueN}
]

This information is added to the Authentication request that the user needs to approve.

SCA tied to the authentication code

Once the user approves the transaction data, Keyless starts the authentication to:

1. Authenticate the payer with the device factor and the biometric factor using Keyless MFA.

2. Tie the transaction data to the Keyless MFA

To tie the transaction data to the Keyless MFA, populate the parameter dynamicLinkingInfo of the authentication configuration AuthConfig. Add the authentication code or any other information you want to display to the user and sign with Keyless MFA. For example, add the "authentication code".

Keyless can produce a signed JWT containing a claim titled td (transaction data) that contains the payload you passed as dynamicLinnkingInfo.

//Keyless adds a td claim to the JWTs containing the data you specify
val dynamicLinkingInfo = DynamicLinkingInfo(transactionData = "<your transaction data to display and sign>")

// authenticate with biometric
val biomAuthConfig = BiomAuthConfig(dynamicLinkingInfo = dynamicLinkingInfo)

// perform the authentication
Keyless.authenticate(
    configuration = biomAuthConfig,
    onCompletion = { /*TODO: process result*/ }
)

//Keyless adds a td claim to the JWTs containing the data you specify
let dynamicLinkingInfo = DynamicLinkingInfo(transactionData = "<your transaction data to display and sign>")

// authenticate with biometric
let biomAuthConfig = BiomAuthConfig(dynamicLinkingInfo: dynamicLinkingInfo)

// perform the authentication
Keyless.authenticate(
    configuration: biomAuthConfig,
    onCompletion: { /*TODO: process result*/ }
)

Verify the transaction

If the authentication is successful, the AuthenticationSuccess contains the following fields:

• signedJwt: the signed JWT (specs below).

// JWT header
{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "PIN/FACE"
}
// JWT payload
{
  "iat": 1720519812,
  "td": "your transaction data to display and sign",
  "version": "1.1.0",
  "sub": "keyless_id"
}

Verify the JWT using the public key from Keyless backend.

Congrats, you just performed a Strong Customer Authentication displaying and signing the transaction information.