Open banking has the potential to make it easier, as consumers, to do banking and access financial services. It’s that simple. We can now give consent, with a fine level of detail, to companies and apps of our choice to consume banking data and make direct payments.
Coupled with the biometric facilities present in almost all smartphones, the potential friction associated with granting consent (basically, logging into your bank, going through whatever multiple authentication steps and so on) can be reduced to a fingerprint or just looking at your phone.
Letting your users grant access to their bank data in a seamless, fast way without needing to type in their passwords or memorable information, offers huge benefits for convenience and security.
And the potential for enacting payments directly from your bank using a biometric factor could bring in a completely new way to make payments person to person or even point of sale.
And it helps overcome the frictions from Strong Customer Authentication (SCA) for payments, which will be implemented EEA-wide from 14 September 2019 🗓, requiring at least two of three authentication elements (something the user knows, possesses, or is) during user identity verification. We see app-to-app deep linking as an important way to reduce friction.
While there are some mobile apps that can already work this way, the standardisation via open banking (PSD2) can make way for truly generic and ubiquitous services. In other words: a new financial infrastructure built on evolving standards not owned by any single mobile app or payment processor.
So can TrueLayer do it?
Yes! (Well… in many cases — read on.) You can see this in action through TrueLayer’s demo app.
Direct app-to-app authentication on mobile makes for a great user experience. In theory, if you are using a mobile device and have your bank’s app configured for biometric authentication and the bank app can “intercept” the URL calls, then it should just work™.
Except, it doesn’t always seem to. It’s clearly possible, but why have some of our customers had difficulty? In order to get to the bottom of this, we built an Android app and an iOS app to test the whole process.
Testing app-to-app authentication
There are two things that need to happen for app links to work when integrating with TrueLayer:
The bank being redirected to must have an app present on the mobile device from which the redirect occurs. The app must be configured to allow biometric identification and it must be able to intercept the call which might otherwise go to a regular website.
After the user has given consent, the bank app must redirect back to TrueLayer who will then redirect back to the originating mobile app. For this to work the originating mobile app must also be configured to allow deep linking (linking directly into a mobile app) and have the correct redirectUrl registered via our Console.
In every case tested, all failures were due to the use of a WebView.
From the linked page:
WebView objects allow you to display web content as part of your activity layout but lacks some of the features of fully-developed browsers. A WebView is useful when you need increased control over the UI and advanced configuration options that will allow you to embed web pages in a specially-designed environment for your app.
What this doesn’t tell you immediately is that WebViews, by default, have no idea how to handle app/deep links. They just fail. There are two ways around this it would seem:
Use an alternative to a WebView, such as launching in a browser.
Tell the WebView what links to expect and how to handle them.
Launching a browser, instead of a WebView, makes it clear the user is leaving an app which breaks the UX a little. On the other hand, knowing all of the links and apps beforehand doesn’t seem like a viable option: how do you maintain that list and what if the device doesn’t have the expected app?
So the answer really is to use an alternative to a WebView — but iOS and Android have different options so require different solutions.
How app-to-app authentication works with TrueLayer
By using a browser, users can be sent straight to the banking app without a problem — if your product is in a mobile web browser instead of an app, or if you open TrueLayer in a mobile browser from your app, this will work right away.
But many of our clients prefer to give their users a more native-feeling experience, which is why WebViews are tempting. Luckily, there are alternatives to WebViews that work with app-to-app authentication!
For Android: Use Chrome Custom Tabs. This is Google’s recommendation for URLs outside of your own domain and solves the problem of WebViews by allowing app-to-app journeys to work correctly.
For iOS: Use SFSafariView. However — from our investigation, Apple does not seem to allow deep linking into another app from a redirect (which is necessary when TrueLayer redirects your user to the bank’s URL). That is, user “intent” is required to open another app. For this reason, we’ve added an extra screen on iOS, where your user clicks through to the bank, opening the bank’s app.
Bank apps that support deep linking for consent
Hot on the investigation above, we set out to determine which of the banks we support on Open Banking currently allow deep linking for consent.
Here are our findings on the state of external deep linking for consent, based on our testing and research (note this is for data access — payment app-to-app availability differ for some banks, for which we’ll publish an update in the future):
As you can see, app-to-app authentication is up and running for most banks, and we expect to see the rest later this year.
Our journey into mobile development helped us gain a better understanding of the challenges some of our clients face and exposed the current state of play with regards to app-to-app authentication.
We’ve found that using a WebView doesn’t always work as expected and not every bank supports app-to-app authentication…but there are good alternatives to WebViews and already widespread support.
We’re not quite banking at the touch of a finger yet but the future definitely is on the tip of our collective tongue. Things are just starting to warm up!
Get in touch if you’re interested in learning more about using TrueLayer for Open Banking.