Authentication flow types

This article might be out of date

Please note we've moved to the new Help Center, hence this article might be outdated. 

Please visit our new Help Center to access the latest articles. 

The purpose of PSD2 APIs is to securely access bank account data of end users through regulated APIs. Ideally using these regulated APIs should also imply that end user sensitive data is only ever input in the bank interface, and never with the Account Information Service Provider (Nordigen). However, this is not always possible and is dependent on what authentication flow the bank uses and their specific API implementation.

Banks generally provide 3 different authentication flows for PSD2 APIs:

  • Redirect - End User is redirected to the Bank's page to authorize their consent. This might also include initial authentication. 
  • Decoupled - the End User uses a device to authorize their consent without being redirected to the Bank's page. In this case Nordigen checks if the End User has finished authorizing their consent.
  • Embedded - this is where Nordigen asks the End User to receive a One-Time-Password (most commonly via SMS) and then enter it in Nordigen view.
Where technically possible, Nordigen opts for an authentication flow that asks the End User to authenticate fully within their bank, to ensure there is less risk of compromising sensitive data as well as a quicker authentication. In this scenario end users inputs their login details directly within their banks, and no third party (Nordigen or our customer) has access.

For certain banks though, Nordigen must ask and in rare cases also temporarily store the sensitive credentials (such as User ID or IBAN, or in some cases password) on our side, because this is how the specific bank API has been designed by the bank themselves. In almost all cases though, Nordigen is working as solely as an intermediary, where we pass over the respective data to the bank, and delete it right after. 

Affected Banks

In the following banks, Nordigen has to ask for the following sensitive data points from End User, in order to pass this information on to the banks that provide decoupled flow. This information is deleted from Nordigen immediately after.

Special Case 

DKB (Deutsche Kreditbank) in Germany is the only bank, where in addition to asking for the sensitive data, Nordigen also has to store it temporarily, until the access expires (for a maximum 90 days). To ensure information security of said data, the information is encrypted, transfered over https and certificates are in place. The sensitive data is thereafter deleted permanently after the access has expired (between 0-90 days).

Did this answer your question? Thanks so much for your feedback! 🙏🏼 There was a problem submitting your feedback. Please try again 🙏🏼

Still need help? Contact Us Contact Us