Product Documentation

The preauthorize and authorize web services are unique to the SKFS—they are NOT part of the FIDO protocol or WebAuthn API. But, they are designed to fill a gap left by the lack of implementation for Transaction Authorization APIs from WebAuthn Level-1: txAuthSimple and txAuthGeneric by every browser.

StrongKey has produced an open-source native Android FIDO library that uses this SKFS API to deliver capabilities such as Strong Customer Authentication (SCA), a requirement of the Regulatory Technical Standards (RTS) defined by the European Banking Authority (EBA) for the EU Payment Services Directive, Revised (PSD2) regulation. As such, it is possible for deliver apps that produce FIDO digital signatures that meet the RTS, as well as the ability to transmit confirmed transactions to banks using EMVCo’s 3DS or Open Banking, etc.

The preauthorize web service is the preliminary step to request a challenge from SKFS. As per the RTS, this challenge must be explicitly associated with a business transaction; any change in the transaction—the Payee or the Amount—mandates a change in the challenge that must be presented to the user. An app built with the StrongKey Android Client Library (SACL) and the SKFS conform to this requirement; the sample e-commerce app and supporting application demonstrate the use of this capability.

The web service requires the following parameters supplied as JSON objects (shown in the Request example in this section):

Parameter

Explanation

svcinfo

Every web service request sent by applications to the SKFS must be authenticated and authorized. These privileges are based on service credential information (svcinfo) passed into the web service as a JSON object.

payload

This parameter, also a JSON object, carries information about the user and other parameters necessary for SKFS to fulfill the operation.