Statement of community opposition to credential sharing for user impersonation.


We’re very grateful for the support represented by your pledges. As you can see here that in the Opinion of the European Banking Authority in proposal d: starting on page 7, released on the 29th June 2017, there is a reflection of the misgivings we have collectively expressed.

This is a welcome first step, but it is vital to ensure that the EBA’s Opinion is actually reflected in the finalised regulatory position, so please pledge and continue to share this link with your networks and communties so that collectively we help maintain our stand and reinforce the EBA’s position on ‘screen scraping’ until there is evidence of a formal change in the policy position in the next release.

The background is that the recent draft of the PSD2 standard contained this bad practice. While it may not be able to be phased out overnight, it should not be legitimized in PSD2 or in any other ecosystem.

Any system that requires individuals to surrender their credentials to third parties for that system to function correctly should be viewed with suspicion and mistrust, given the options that exist today for the secure exchange of personal and financial information.

By supporting or condoning currently risky behaviour where users are at risk of impersonation and fraud there is a significant risk of legitimizing the current sub-optimal security environments.

The current proposed Open Banking standard is based on best practice security and authorisation standards that have been implemented over the last decade to eliminate credential collection behaviour. The proposed delegated access standards are tried and tested. Fintech companies and banks should be required to offer and use appropriate authentication and delegated access support for financial APIs.

The Kantara Initiative, Inc is supported by the Identity Ecosystem Steering Group, Inc (IDESG) in its effort to educate on identity and privacy best practices. The IDESG identity ecosystem framework (IDEF) specifically calls for proper issuance and management of identity credentials and reinforces the need for the adoption of those principles as called for here.

The undersigned strongly urge policymakers to put customers first and not accept bad practice into standards for PSD2.

 

Type of Organization*

In digitally signing your name, whom do you represent?*

 


 

Digital Identity Professionals who signed:


First Name Last Name Organization
Allan Foster Kantara
Ralph Bragg Raidiam Llp
John Bradley Ping Identity
Eve Maler Self
Mark Lizar Open consent
Sal D'Agostino IDmachines
Andre Boysen SecureKey
Colin Wallis Kantara Initiative, Europe
Yasunori Ikeda NRI SecureTechnologies, Ltd.
Mark Haine Raidiam LLP
Michael Schwartz Gluu
William Lowe Gluu
Andy Hayes Ping Identity
Henrik Biering Peercraft ApS
Barry ODonohoe RAIDIAM LLP
Paul Heaney ProofID
Matthew Thompson Individual
Mike Ellis Forgerock
Adam Migus The Migus Group
Nat Sakimura self
Hans Zandbelt ZmartZone IAM
Jon Lehtinen GE Digital
Patrick Lunney N/A
Erik Naslund Clearent LLC
Loren Stocker Telex, Inc.
UWE BRITFELD U.S. Bank
Ajadex Lopez Ultimate Software
Allen Lipa Synchrony Financial
Jonathan Sander STEALTHbits Technologies
Eric Rakers Centene
Marcus Oh sijo photography
Don DSouza FANNIE MAE
Brad Clements NetDocuments
Rebecca Daniels CSL Behring
Dedra Chamberlin Cirrus Identity, Inc.
Warren Malupo University of Utah
Wayne Blacklock ForgeRock
Jordi Clement iWelcome
Chetan Mutalik Desai Persistent Systems
Lasse Andresen ForgeRock
Raj Parthaje Fannie Mae
Greg Smit Individual
Rachel Gentry RTG Commercial Services
John Heaton-Armstrong Dunamace Ltd
William Morse Prudential
Stina Ehrensvard Yubico Inc
Filip Skokan Individual
Aravindan Ranganathan Arathika identity management
Maciej Machulak Self
Kevin Wanner Prudential
Nishant Kaushik Uniken Inc
Jim Willeke Self
Victor Ake Forgerock
Alan Beecraft ForgeRock
Mehmet Yaliman E.ON Business Services GmbH
Chris Michael Self
David Worrall Secure Cloudlink
Paul Taylor American Airlines
Manish Haldankar Sartik Ltd
Mayur Upadhyaya Janrain
Dave Tonge Self
Jon Shamah EJ Consultants
Freddi Gyara Iyana
Andy Hall ForgeRock
Alain Pulluelo ForgeRock
Tony Tran USBank
Kim Plaisted Self
Christopher Hutton Callsign
Dirk Wahlefeld ITConcepts Professional GmbH
Bhupinder Saini Tejas Infotech Ltd
Anthony Smolyansky Ozbit
Carlos Garcia Optiv
Michael Anderson Collective Underwriters, Inc.
Jim Willeke services.willeke.biz, LLP
Adam Madlin Symantec
Axel Nennker Axel Nennker
Kevin Lynch Synaptics
Stefan Duerbeck AKDB
Leonard Moustacchis ForgeRock
Jin Wen HisGarden.org
Tim Holmes Gravitaz Ltd