Out-of-band authentication is a type of two-factor authentication that requires a secondary verification method through a separate communication channel. With out-of-band authentication, you can direct the transaction authentication requests to your secure application on an eligible cardholder's device. For example, a mobile phone.
To use the out-of-band authentication flow with your Adyen-issued cards in the European Economic Area (EEA), you need to register the cardholder's device and subsequently authenticate the transactions on this device.
We provide a client-side Authentication SDK that uses the possession factor through device binding, and either knowledge or the inherence factor, depending on the cardholder's device access configuration.
With Adyen's Authentication SDK, you can:
- Check if the cardholder's device is eligible for Strong Customer Authentication (SCA).
- Register your cardholder's mobile device to create device binding.
- Authenticate your cardholder's online card transactions with 3D Secure.
The Authentication SDK integration also works with Adyen's Business Accounts to authenticate funds transfer and transaction lookup.
System requirements
We provide the client-side Authentication SDK in the following languages:
- Kotlin or Java for Android applications
- Swift for iOS applications
Before you start implementing the SDK, make sure that your system follows the requirements.
- Your application targets minimum Android API level 21 or later.
- The authentication feature works on devices running on Android API level 26 and later.
- The authentication feature requires Google Play Services on the cardholder's device.
To ensure the correct support type for 3D Secure on the card program, contact our Support Team.
Installation
To install the Authentication SDK:
-
Add the following line to your
build.gradle
file.implementation "com.adyen.authentication:android-authentication:0.2.1"
Register device
Before starting the device registration, make sure that the operating system on the cardholder's device supports SCA.
The following are the steps you need to do to register the cardholder's device.
- Check SCA eligibility.
- Initiate the device registration from your server.
- Authenticate the cardholder.
- Register the device.
- Finalize the registration from your server.
Step 1. Check SCA eligibility
This functionality requires additional configuration from Adyen. To enable it, contact our Support Team.
To check if the Android device is eligible for SCA:
-
Initiate the
AdyenAuthentication
class in your Activity or Fragment. -
Check if SCA is available on the device.
The output contains
sdkOutput
that you will use when initiating the registration. -
Pass
sdkOutput
to your server.We suggest that you store
sdkOutput
for further usage, in case you need to start the registration process again.
Step 2. Initiate device registration
Registering the device is a one-off procedure. You can only register one device per payment instrument. If you register a new device for a payment instrument that previously had a registered device, this will remove the binding with the old device.
To start the device registration:
-
From your server, make a POST
/registeredDevices
request. To make this request, your API credential needs the following role:- Bank SCA Webservice Role
Reach out to you Adyen contact to set it up for you.
In the request, specify the following:
Parameter Description paymentInstrumentId
The unique identifier of the payment instrument you want to register the device for. strongCustomerAuthentication.sdkOutput
Base64-encoded blob of data created in the previous step. The response returns:
sdkInput
: pass it to the SDK when registering the device.id
: device ID needed when finalizing the registration.
We suggest that you create and store a mapping between the registered device
id
and the human-readable account holder name. For example, RD00000000000000000000001 is "Cardholder's iPhone". You can use this pair later to show the details, for example, when unbinding the device.
Step 3. Authenticate cardholder
In your client app, perform cardholder authentication. PSD2 requires you to perform two-factor authentication (2FA) as an extra security step during the login process.
Step 4. Register the device
After you successfully authenticate your cardholder:
-
Trigger the SDK to start the device registration and pass
sdkInput
from step 2.After the successful registration, the SDK generates a Base64-encoded
sdkOutput
data blob. -
Pass
sdkOutput
to your server.
Step 5. Finalize registration
To finalize the device registration:
-
From your server, make a PATCH
/registeredDevices/{id}
request, specifying the deviceid
in the path and the following parameters in the request body:Parameter Description paymentInstrumentId
The unique identifier of the payment instrument you want to register the device for. strongCustomerAuthentication.sdkOutput
Base64-encoded blob of data created in the previous step. The response contains
success
true.
The registration is now complete. The cardholder can start authenticating future transactions using your app.
Authenticate cardholder
Each time your cardholder makes a transaction that requires 3D Secure, you need to authenticate them. The authentication time frame is valid for 10 minutes.
The following are the steps you need to do to authenticate the cardholder.
- Set up a webhook endpoint.
- Accept the authentication webhook.
- Authenticate the cardholder.
- Finalize the cardholder authentication from your server.
Step 1. Set up a webhook endpoint
Your integration must be able to receive and process webhooks for authentication requests.
-
Create an endpoint on your server that:
- Can receive a JSON object.
- Has an open TCP port for HTTPS traffic on port 443, 8443, or 8843.
- Can handle basic authentication.
-
Send the endpoint URL to your Adyen contact.
To learn more about setting up webhooks, see Set up webhooks.
Step 2. Accept authentication webhooks
When the cardholder makes a transaction that requires authentication, we send a webhook to your server. Your server must respond to the webhook within 10 seconds. Otherwise, the authentication process will fail. The webhook contains the following parameters:
In the request header:
Parameter | Description |
---|---|
sdkInput |
SCA realm="Challenge" authparm1="{sdkInput}" where sdkInput is a Base64-encoded blob of data to be passed to the SDK in the next step. |
In the request body:
Parameter | Description |
---|---|
id |
A unique reference of the 3D Secure challenge. |
paymentInstrumentId |
The unique identifier of the payment instrument. Use this field to direct the authentication request to the correct cardholder. |
purchase |
An object containing the details of the purchase, such as date, merchant name, and amount. |
To ensure that your server has accepted the webhook, we require you to acknowledge every webhook with an HTTP 200 response containing the following:
If we don't receive the response message within 10 seconds or receive status
set to refused, the authentication process will stop.
For more information about webhook setup and best practices, see Set up webhooks.
Step 3. Authenticate cardholder
Your application must display the data from the previous step to the cardholder during the authentication. We recommend that you implement a push notification and use the data from the webhook to inform the cardholder about the details of the transaction they are authenticating for.
After being prompted on the merchant interface, the cardholder proceeds to the application.
Authenticate your cardholder using the SDK. To do so:
-
Trigger the SDK to start cardholder authentication and pass the
sdkInput
value from the previous step.If successful, the result is a Base64-encoded
sdkOutput
data blob.In case of any error that occurs at this stage, return to the check SCA eligibility step and perform the registration steps again.
-
Pass
sdkOutput
to your server.
Step 4. Finalize authentication
You must finalize the authentication within 10 minutes of receiving the request. To finalize the authentication:
-
From your server, make a PATCH
/challenges
request, specifying the following parameters:In the path:
Parameter Description id
The challengeReference
value from the webhook in Step 2.In the request header:
Parameter Description www-authenticate
Set SCA realm
to Challenge. Setauthparm1
with the Base64-encoded value of sdkOutput from cardholder authentication.In the request body:
Parameter Description completed
Set to true. If successful, the response contains the
id
of the challenge andchallengeCompleted
: true.{ "id": "778a7bd0-0f08-4d0b-b6ec-76c3a47f775c", "challengeCompleted": true }
Get updates
We will notify you of the status and outcome of the authentication once the cardholder has completed 3D Secure authentication. Regardless of whether the authentication process was successfully completed, failed, or expired, we send the balancePlatform.authentication.created webhook.
To keep track of webhooks, make sure that your server can receive and accept webhooks.
The balancePlatform.authentication.created webhook contains the following information.