Encryption key (auth_key)

To secure the authentication process, the data exchanged between the APP and the PKSA will be encrypted using an encryption key (auth_key). By encrypting these data, the HAS will be unaware of what's going on between the APP and the PKSA and unable to tamper with the authentication process.

Before initiating the authentication process, the APP must create an auth_key for each account it manages. We recommend using a uuid to strengthen security.

This auth_key should be stored by the APP if it plans to perform transactions later.

Each account managed by the APP should use a different auth_key.

The APP should create a new auth_key each time it authenticates an account and should never reuse it for another authentication.

For the PKSA to be able to decrypt the payload sent to it by the APP, the APP will have to share it with the PKSA. This can be done in two ways:

  1. by embedding it in a QR code that the PKSA mobile app will scan

  2. by encrypting it and embedding it in the auth_req authentication payload when running your own PKSA in Service Mode

Last updated