Financial-grade API Security Profile Overview
Get familiar with Financial-grade API Security Profile (FAPI): what it is and why it is important. Learn when it should be used and when you have to comply to its rules. Find out how SecureAuth can help you protect your APIs in a FAPI-compliant way.
What Financial Grade API (FAPI) Is
Financial-Grade API (FAPI) is a specialized API security standard defined by the OpenID Foundation. Extending the OAuth 2.0 and OpenID Connect (OIDC) frameworks, FAPI aims to provide enhanced security features tailored to the needs of the high-stakes financial industry. This article offers a technical perspective on FAPI, exploring its core components, security protocols, and architectural principles.
FAPI Profiles
There is a couple of defined FAPI profiles:
FAPI 2.0 Message Signing (in a draft status as of 07.09.2023)
While work on FAPI 1.0 and FAPI advanced profiles was being finalized, work on FAPI 2.0 already started. The FAPI 2.0 suite of standards builds on this insight and wider learnings from the OAuth ecosystem including the latest OAuth Security Best Current Practice. FAPI 2.0 aims to meet and exceed the security characteristics as FAPI 1.0 while reducing the overall complexity and the optionality in the core security profile making FAPI 2.0 easier and more cost-efficient to implement. FAPI 2.0 differs from FAPI 1.0 by not introducing levels of compliance (baseline and advanced in the latter), but, instead, introducing the Baseline Profile and the Attacker Model that expresses the security requirements through security goals and attacker models.
SecureAuth comes with multi-tenant authorization server profile that meets the chosen FAPI profile requirements right away. Additionally, you can configure any server profile for FAPI compliance if needed.
FAPI Security Requirements
Below, you can find information on examples of the FAPI security enhancements.
Strong Customer Authentication (SCA)
FAPI mandates the implementation of multi-factor authentication (MFA) that typically involves at least two out of the three: something you know (password), something you have (a mobile device), and something you are (biometrics).
Request Object Signing
FAPI extends the standard OAuth 2.0 mechanism by introducing signed request objects, which are JWTs that contain all the OAuth 2.0 authorization request parameters. These JWTs are signed by the client and can be verified by the authorization server to ensure integrity and non-repudiation.
Token Binding
FAPI adopts token binding techniques that bind the issued tokens to a particular client. This mitigates the risk associated with bearer tokens and makes it difficult for unauthorized clients to misuse tokens.
Mutual TLS (mTLS)
FAPI requires both parties (client and server) to present certificates for mutual TLS. This ensures the authenticity and integrity of both ends of the communication channel.
FAPI Compliance and Interoperability
FAPI profiles can be configured to align with various regulatory requirements such as the EU’s Payment Services Directive 2 (PSD2), Australian Consumer Data Right (CDR), and the UK’s Open Banking Standard. This ensures that adopting FAPI does not just enhance security but also assists in regulatory compliance.