Strong Customer Authentication/Highly Regulated Identity

[lemonlion]

Hi,

Are there any plans to introduce an equivalent of Auth0's Highly Regulated Identity feature, to be able to support Strong Customer Authentication? It's a key feature for Fintech companies, and they currently have to role their own messy implementations.

[wcabus]

Duende IdentityServer 7.3 supports the FAPI 2.0 Security Profile.

The Strong Customer Authentication feature, part of PSD2, is about requiring multiple authentication factors such as a biometric aspect (fingerprint, Face ID), a push notification using an authenticator app or WebAuthn. Since Duende IdentityServer is an OAuth 2.0 and OpenID Connect SDK, it does not include any user-related authentication functionality like verifying passwords or asking for an additional authentication factor.
When you build the user sign-in experience in your IdentityServer solution, you will need to implement the PSD2 recommendations as part of your custom user sign-in experience.

[wcabus]

You may find our blog post around Step Up Challenge interesting: it demonstrates how to request a user to re-enter their credentials or provide a second factor when they make specific request in the client application.