CIBA: x-fapi-device-id header

Comments (12)

1. 

   Dave Tonge reporter

   • edited description

   • 2017-07-19T13:54:49+00:00
2. 

   Sascha Preibisch

   In our CA's mobile SDK that we ship with our APIM solution we also have a device-id. It is always included whenever the client sends a request. This id is included when the client requests a token and also when the token is used on a protected API.

   To be precise, the client first goes through a registration process which results in the server issuing that id. As of then it is always used by the client. This allows the server to be in control of the type of ID and prevent duplicates. It has been very useful so far.

   • 2017-07-20T06:43:01+00:00
3. 

   Nat Sakimura

   • changed component to CIBA

   • 2017-08-26T14:59:04+00:00
4. 

   Nat Sakimura

   Agreed. It should be useful.

   • 2017-08-26T15:10:25+00:00
5. 

   Axel Nennker

   Do you recommend CIBA to be changed?

   • 2017-09-06T13:44:03+00:00
6. 

   Dave Tonge reporter

   I think that would be a good idea. Although the name of the header should probably be simply device-id

   • 2017-09-14T10:41:55+00:00
7. 

   Dave Tonge reporter

   we discussed that a device id probably wouldn't be useful, however a device type and geolocation could be useful.

   • 2017-11-06T16:01:36+00:00
8. 

   Axel Nennker

   Could you please clarify who would send or not send which information to whom for what purpose. Experts in FAPI probably know this from the issue description, while I don't.

   Is this talking about the AZ sending fraud detection info to the authentication device which is then consumed by an authenticator app that changes the UI depending on the info?

   Or is this talking about information send from the authentication device to the AZ? Or is this talking about info send from the AD to the AZ and the consumption device.

   • 2017-11-15T08:56:42+00:00
9. 

   Dave Tonge reporter

   @ignisvulpis sorry for the delay in getting back to you.

   This is about the client including metadata about the consumption device when posting the CIBA Authentication Request to the AS. For example device type could be: Petrol Pump | POS Terminal | Transport Ticket Machine, etc.

   In a payments flow, the main use-case for this data would be to give the AS information that could help its fraud decision engine.

   The metadata could be passed through to the authentication device to give the user more context on the access they are approving, but that is not it's intended purpose.

   @ve7jtb and @Nat what should we do about this ticket - given that we don't have a suitable source of device types?

   • 2018-01-04T14:52:40+00:00
10. 

    Axel Nennker

    I would handle data that is shown to the user different to data that is used by the OP for fraud detection.

    Arbitrary text shown to the user makes it easier to phish the user or to show inappropriate content or text that does not fit the screen space on the user device. Difficult topic.

    Sending fraud prevention data to the OP and from that the OP chooses appropriate text to the user might be safer.

    Or each Petrol Pump could be its own Client registered to the OP. That would provide the AZ with a client name at registration time.

    • 2018-01-04T19:00:26+00:00
11. 

    Dave Tonge reporter

    I agree, that the data should be handled separately. I've adjusted the FAPI CIBA profile to say:

    1. should send metadata about the consumption device, for example geolocation and device type.

    NOTE: It may be useful for an FI’s fraud systems to know the location and type of the consumption device. The format and schema for such metadata is outside the scope of this profile.

    • 2018-01-09T22:19:10+00:00
12. 

    Dave Tonge reporter

    • changed status to resolved

    This issue has already been addressed. There is a similar open issue though: https://bitbucket.org/openid/fapi/issues/146/ciba-fraud-indicator-standards-and-signed

    • 2019-06-19T10:09:35+00:00
13. Log in to comment