Multi-Factor Authorisation (MFA)

Yapily's knowledge article about Multi-Factor Authorisation (MFA)

For some business and joint accounts, as part of the SCA process for Open Banking, your users may be required to give multiple authorisations to approve the initiation of a payment. The normal authentication method takes place where you execute any of the following requests:

  • POST Create Payment Authorisation Request
  • POST Create Bulk Payment Authorisation Request

You will then redirect the user to the bank using either the authorisationUrl or the qrCodeUrl.

Once the user has authorised the the payment request, unlike the ordinary flow, the Consent object doesn't transition to AUTHORIZED, it transitions to PENDING with information of the extra authorisations included in the Multi Authorisation Object for the payment. This object contains details of how many authorisations are required and how many more need to be completed, e.g.:

{
    "data": {
        "id": "pv3-c8eece27-eb1a-4c27-a13c-2f805703dab2",
        "paymentIdempotencyId": "1d54cf71bfe44b1b8e67247aed455d96",
        "institutionConsentId": "sdp-1-aa9d0941-43ff-4abb-8129-4d56b620b8ee",
        "paymentLifecycleId": "69d554dea74276e8b1b44efb17fc45d1",
        "status": "PENDING",
        "statusDetails": {
            "status": "PENDING",
            "statusUpdateDate": "2019-09-26T15:38:33.401Z",
            "multiAuthorisationStatus": {
                "status": "AWAITING_FURTHER_AUTHORIZATION",
                "numberOfAuthorisationRequired": 2,
                "numberOfAuthorisationReceived": 1,
                "lastUpdatedDateTime": "2019-09-26T15:38:33.408Z"
            }
        }
    }
}

The extra authorisations take place offline (phone, sms, text, email) and are completed by the owner of the business account or the other account holders of the joint account. As these are offline authorisations, they do not take place within Yapily's domain. Once the authorisations are completed, the Consent is updated. You can monitor the status of the Consent using GET Consent until the status transitions to AUTHORIZED.