Banking at your fingertips
We're on a mission to allow your users to connect their bank accounts with just a touch of their finger.
Open banking has the potential to make it easier, as consumers, to do banking and access financial services. It’s that simple. We can now give consent, with a fine level of detail, to companies and apps of our choice to consume banking data and make direct payments.Coupled with the biometric facilities present in almost all smartphones, the potential friction associated with granting consent (basically, logging into your bank, going through whatever multiple authentication steps and so on) can be reduced to a fingerprint or just looking at your phone.Letting your users grant access to their bank data in a seamless, fast way without needing to type in their passwords or memorable information, offers huge benefits for convenience and security.And the potential for enacting payments directly from your bank using a biometric factor could bring in a completely new way to make payments person to person or even point of sale.And it helps overcome the frictions from Strong Customer Authentication (SCA) for payments, which will be implemented EEA-wide from 14 September 2019 🗓, requiring at least two of three authentication elements (something the user knows, possesses, or is) during user identity verification. We see app-to-app deep linking as an important way to reduce friction.While there are some mobile apps that can already work this way, the standardisation via open banking (PSD2) can make way for truly generic and ubiquitous services. In other words: a new financial infrastructure built on evolving standards not owned by any single mobile app or payment processor.
So can TrueLayer do it?Yes! (Well… in many cases — read on.) You can see this in action through TrueLayer’s demo app.Direct app-to-app authentication on mobile makes for a great user experience. In theory, if you are using a mobile device and have your bank’s app configured for biometric authentication and the bank app can “intercept” the URL calls, then it should just work™.Except, it doesn’t always seem to. It’s clearly possible, but why have some of our customers had difficulty? In order to get to the bottom of this, we built an Android app and an iOS app to test the whole process.
Testing app-to-app authenticationThere are two things that need to happen for app links to work when integrating with TrueLayer:
- The bank being redirected to must have an app present on the mobile device from which the redirect occurs. The app must be configured to allow biometric identification and it must be able to intercept the call which might otherwise go to a regular website.
- After the user has given consent, the bank app must redirect back to TrueLayer who will then redirect back to the originating mobile app. For this to work the originating mobile app must also be configured to allow deep linking (linking directly into a mobile app) and have the correct redirectUrl registered via our Console.
- WebView objects allow you to display web content as part of your activity layout but lacks some of the features of fully-developed browsers. A WebView is useful when you need increased control over the UI and advanced configuration options that will allow you to embed web pages in a specially-designed environment for your app.
- Use an alternative to a WebView, such as launching in a browser.
- Tell the WebView what links to expect and how to handle them.
How app-to-app authentication works with TrueLayerBy using a browser, users can be sent straight to the banking app without a problem — if your product is in a mobile web browser instead of an app, or if you open TrueLayer in a mobile browser from your app, this will work right away.But many of our clients prefer to give their users a more native-feeling experience, which is why WebViews are tempting. Luckily, there are alternatives to WebViews that work with app-to-app authentication!
- For Android: Use Chrome Custom Tabs. This is Google’s recommendation for URLs outside of your own domain and solves the problem of WebViews by allowing app-to-app journeys to work correctly.
- For iOS: Use SFSafariView. However — from our investigation, Apple does not seem to allow deep linking into another app from a redirect (which is necessary when TrueLayer redirects your user to the bank’s URL). That is, user “intent” is required to open another app. For this reason, we’ve added an extra screen on iOS, where your user clicks through to the bank, opening the bank’s app.
Bank apps that support deep linking for consentHot on the investigation above, we set out to determine which of the banks we support on Open Banking currently allow deep linking for consent.Here are our findings on the state of external deep linking for consent, based on our testing and research (note this is for data access — payment app-to-app availability differ for some banks, for which we’ll publish an update in the future):
As you can see, app-to-app authentication is up and running for most banks, and we expect to see the rest later this year.