SCA over API
If you would like to provide your native brand experience to your customers, we have endpoints that allow you to set up authentication methods for your customers and build stronger authentication.
Wise offers four authentication methods that cover different aspects of user identity and possession:
Method | Type | Description |
---|---|---|
PIN | Knowledge-Based Authentication (KBA) | Users must provide a 4-digit code to verify their identity and access the service. |
Device Fingerprinting | Possession Authentication | Users must use a device that has been registered with your application and must pass a proof of authenticity check to verify their identity. |
Phone Based OTP | Possession Authentication | Users must have a phone that is already registered with us to receive an OTP code, which they then enter to prove their identity. |
FaceTec | Inherence Element Authentication | Users can do a FaceScan and forward for verification. |
A lifecycle of SCA typically consist of the following:
Lifecycle | Description |
---|---|
Setting up | The user sets up SCA by providing their phone number, or other contact information to the application. |
Encountering | The user encounters SCA for the first time when they attempt to access a restricted feature or perform a high-risk transaction. |
Triggering | The application triggers SCA by sending an OTP or prompting the user to authenticate using another method. |
Challenging | The user is challenged to provide their authentication credentials (e.g., enter a code received via SMS or phone call, or provide biometric information). |
Authenticating | The user provides their authentication credentials and is authenticated successfully. |
Completing | After successful authentication, the user can access the restricted feature or perform the high-risk transaction |
Many strong customer authentication (SCA) methods require a set up process, where the user must provide information or register their device before they can use the service. It's important to provide an onboarding flow in your application that sets up strong customer authentication (SCA) enrollment for your end users.
PIN
For PIN-based authentication, it's important to collect the PIN information directly from the end customer through a secure client-side encryption method. This ensures that the PIN is not compromised during transmission.
To learn more about how to implement PIN-based authentication securely, you can refer to the following example.
Device Fingerprint
For device fingerprinting-based authentication, it's important to use client-side encryption to collect the information directly from the device, and then forward the encrypted information securely to Wise. You should never persist the device fingerprint in any form. This ensures that the fingerprint is collected securely and accurately represents the user's device.
To learn more about how to implement Device Fingerprint authentication securely, you can refer to the following example.
Phone Based OTP
For phone-based OTP authentication, Wise offers multiple OTP methods such as SMS, Voice, and WhatsApp. Use a secure endpoint provided by Wise to update the end user's phone number, and perform phone number verification on your end before updating the information with Wise. Please reach out to your implementation manager if you would like to use this method.
To learn more about how to implement Phone Based OTP authentication securely, you can refer to the following example.
FaceTec
To implement FaceTec-based authentication, integrate with FaceTec and propagate the FaceMap to us for verification. To learn more about how to implement FaceTec-based authentication securely, you can refer to the following example.
When your users are utilizing Wise's endpoint, it is possible that a high-risk transaction endpoint might respond with a 403 status code with two headers:
- x-2fa-approval-result having the value of REJECTED to indicate that this request requires additional verification
- x-2fa-approval returning a string value to enable managing and building strong customer authentication.
For more information on how to manage strong customer authentication using the response header values, you can refer to our one-time token guide.
Only phone-based OTP authentication requires a trigger, allowing end users to choose when to send the OTP code and which phone number the message should be sent to.
The user is prompted to provide their authentication credentials (e.g., enter a code received via SMS or phone call, or provide biometric information).
We recommend having fallback challenges available to your customers in case users are unable to complete the primary challenge methods.
Two factor of successful authentication is always required to build strong customer authentication.
For high-risk transactions, a single strong customer authentication session can only be used once, requiring a new session to be established for subsequent transactions.
Wise enables trusted partners to offer end users the option to perform lower-risk transactions without requiring them to undergo strong customer authentication again, provided they have already completed SCA and remain actively authenticated since then.