Statement of community opposition to credential sharing for user impersonation.

We’re very grateful for the support represented by your pledges. As you can see here that in the Opinion of the European Banking Authority in proposal d: starting on page 7, released on the 29th June 2017, there is a reflection of the misgivings we have collectively expressed.

This is a welcome first step, but it is vital to ensure that the EBA’s Opinion is actually reflected in the finalised regulatory position, so please pledge and continue to share this link with your networks and communties so that collectively we help maintain our stand and reinforce the EBA’s position on ‘screen scraping’ until there is evidence of a formal change in the policy position in the next release.

The background is that the recent draft of the PSD2 standard contained this bad practice. While it may not be able to be phased out overnight, it should not be legitimized in PSD2 or in any other ecosystem.

Any system that requires individuals to surrender their credentials to third parties for that system to function correctly should be viewed with suspicion and mistrust, given the options that exist today for the secure exchange of personal and financial information.

By supporting or condoning currently risky behaviour where users are at risk of impersonation and fraud there is a significant risk of legitimizing the current sub-optimal security environments.

The current proposed Open Banking standard is based on best practice security and authorisation standards that have been implemented over the last decade to eliminate credential collection behaviour. The proposed delegated access standards are tried and tested. Fintech companies and banks should be required to offer and use appropriate authentication and delegated access support for financial APIs.

The Kantara Initiative, Inc is supported by the Identity Ecosystem Steering Group, Inc (IDESG) in its effort to educate on identity and privacy best practices. The IDESG identity ecosystem framework (IDEF) specifically calls for proper issuance and management of identity credentials and reinforces the need for the adoption of those principles as called for here.

The undersigned strongly urge policymakers to put customers first and not accept bad practice into standards for PSD2.

Digital Identity Professionals who signed:

[cfdb-html form=”june2017-pledge” show=”first-name,last-name,company” role=”Anyone” permissionmsg=”true” orderby=”Submitted” stripbr=”true”][/cfdb-html]

[cfdb-html form=”june2017-pledge” show=”first-name,last-name,company” role=”Anyone” permissionmsg=”true” orderby=”Submitted” stripbr=”true”]


First Name Last Name Organization
${first-name} ${last-name} ${company}