Understanding FAPI – Blog Series – Part #02
FAPI is an attractive solution in the digitalization of the financial sector. As an interoperable solution for "open banking" scenarios, FAPI allows regulatory requirements to be implemented while meeting a high security standard. FAPI offers various profiles for the OAuth authorization framework. The profiles are used to achieve different security objectives in order to optimally protect various scenarios against cyber attacks.
Various security features are used to achieve the security objectives of FAPI. The focus here is on protecting access tokens and preventing the manipulation of messages. In addition, FAPI implements current security best practices and offers the option of having implementations of the profiles certified. In this way, the FAPI profiles achieve a higher level of security than conventional OAuth and OpenID Connect implementations.
What Is the FAPI?
FAPI offers security profiles for OAuth that can serve as an interoperable solution for "open banking" scenarios. For banks, open banking means ensuring greater data protection and making open APIs available to third parties. Open banking enables people to securely share their financial data with innovative third party companies and increase the freedom to manage their own finances. FAPI aims to meet the high demand for cybersecurity and high levels of regulatory compliance in the financial sector. OAuth alone cannot provide this, as it is a flexible framework with numerous configuration options. FAPI was developed in response to the European Payment Service Directive 2 (PSD2), which was published in 2015.
The FAPI profiles offer a secure and efficient alternative to the widespread technique of screen scraping. You can find out about the major security problem when using this technology in part #01 of the blog series.
Despite their origins in the financial sector, FAPI profiles can also be used in other scenarios that have a high need for cyber security. In the context of eHealth, for example, FAPI can be used to enable secure access to sensitive health data and interaction with patients.
What Security Objectives Does FAPI Offer?
The FAPI defines three safety objectives: Authorization, authentication and the integrity of the session.
 |
Authorization |
 |
Authentication |
 |
Integrity of the Session |
How Is the FAPI Structured?
There are two FAPI versions, which are divided into different profiles: FAPI 1.0 and the revised FAPI 2.0. Both consist of a profile for APIs with medium risk (Baseline or Security Profile) and a profile for APIs with high risk (Advanced or Message Signing Addon). The general difference between the profiles is the use of signatures to protect requests and responses, as well as the restriction of the use of access tokens to authorized parties.
FAPI profiles in comparison – The FAPI versions and profiles differ in their security and interoperability. (Fig. 1)
The main part of FAPI 1.0 consists of two profiles: the Baseline Profile and the Advanced Profile. The FAPI 1.0 security profiles were published by the FAPI Working Group in March 2021. The specification combines existing OAuth and OpenID Connect security measures with best practices to define two profiles designed for different security levels.
The Baseline Profile was developed for read access to APIs that have a medium risk. Various best practices are used to protect these, such as a short validity period for access tokens.
The Advanced Profile, on the other hand, is designed to protect both read and write access to APIs that pose a high risk. For this purpose, further measures are applied in addition to those of the Baseline Profile to ensure an even higher level of cyber security. Among other things, various requests and responses are signed and access tokens can only be redeemed by the authorized party.
FAPI 1.0 also includes a CIBA-Profile, which has not yet been finalized. This provides a secure configuration for the Client-Initiated Backchannel Authentication (CIBA) flow.
FAPI 2.0 consists of an attacker model, the FAPI 2.0 Security Profile and the FAPI 2.0 Message Signing Addon. These are comparable to the concept of the Baseline and Advanced Profiles of FAPI 1.0: The Security Profile offers a high level of basic protection, while the Message Signing Addon extends the Security Profile with the "non-repudiation" security feature. The FAPI 2.0 security profiles are currently still under development. The first "Implementer's Drafts" of the Security Profile and the Message Signing Addon were published in December 2022. FAPI 2.0 also combines existing OAuth and OpenID Connect security measures with known best practices. In addition, the revised FAPI version implements feedback from the industry and thus increases compatibility between applications (interoperability) through simplified configurations.
The Security Profile 2.0 offers greater protection than the Baseline Profile of FAPI 1.0. For example, requests that were previously forwarded to the Authorization Server by the user's browser are now sent directly to the Authorization Server. A further security measure of the Security Profile is the use of sender-restricted access tokens, which are only added in FAPI 1.0 by the Advanced Profile.
The additional use of the FAPI 2.0 Message Signing Addon provides even greater protection than the Security Profile. The add-on provides additional measures, such as signing requests and responses.
As both drafts are currently still under development, changes cannot be ruled out until finalization.
Certification
The OpenID Foundation provides test suites to ensure the correct and compliant implementation of the standard. Implementations that have successfully passed these tests are listed as certified FAPI authorization servers and clients on the certification page. These include well-known providers such as Authlete, ForgeRock and Ping Identity.
Up to now, FAPI 1.0 Baseline and Advanced implementations can be certified independently by clients and OpenID providers. It is also possible to certify FAPI-CIBA OpenID providers.
Differences Between the FAPI Profiles
The following table shows a comparison of the FAPI profiles, the OAuth 2.0 and OpenID Connect 1.0 standards and the current "OAuth 2.0 Security Best Current Practices" based on selected protective measures. It should be noted that an OAuth 2.0 implementation can optionally implement all the security features mentioned, even if this is not prescribed in the standard.
| Features | 1.0 Baseline | 1.0 Advanced | 2.0 Security Profile | 2.0 Message Signing | OAuth 2.0 | OAuth 2.0 + BCP | OIDC Core | Screen Scraping |
| Protection of Access Tokens | high | very high | very high | very high | low | medium | low | none |
| Manipulation Protection of Requests | low | very high | high | very high | low | low | low | none |
| Manipulation Protection of Responses | low | very high | low | very high | low | low | medium | none |
| CSRF Protection | high | high | high | high | medium | high | medium | none |
| Current Security Best Practices | medium | high | high | high | low | medium | low | none |
| Interoperability | medium | medium | high | high | low | low | medium | none |
| Certification | possible | possible | possible | possible | none | none | possible | none |
The Baseline and Advanced Profiles or the similar Security Profile and the Message Signing Addon differ primarily in the use of signatures to protect requests and responses, as well as the use of sender-restricted access tokens.
By signing the messages, they are protected against manipulation in the browser of the person using them, among other things. As the access tokens can only be redeemed by the authorized party, the risk posed by stolen tokens is minimized: An attacking person cannot use the stolen token and cannot independently access the resources of the person using it.
In addition, FAPI offers reliable CSRF protection and compliance with current security best practices. Compared to older standards, FAPI thus provides more security, even against current cyber attacks.
Another advantage of FAPI is its increased interoperability, which is also guaranteed by official certification. Thanks to clearly defined profiles, more applications are compatible with each other than with the many configuration options left open by the OAuth framework, for example.
FAPI Security Evaluation – Comparison of the examined standardizations based on their security features. (Fig. 2)
In conclusion, FAPI offers more security, more interoperability and an easier development process than conventional OAuth and OpenID Connect implementations. This is also shown by our security evaluation in Figure 2.
Further technical details will follow in one of our next blog articles.
In further parts of the "Understanding FAPI" series, we will explain the measures that FAPI profiles use to achieve the high level of security in the financial sector and even protect against complex mix-up attacks.
> Understanding FAPI Part #03: How Does the Protection of FAPI 1.0 Profiles Differ?
Follow us on X (Twitter) or Linkedin and don't miss any of our future blog posts.
Blog Series – Understanding FAPI – All parts at a glance
Part #01 – How Are Highly Secure APIs Realized With FAPI in the Financial Sector?
Part #02 – What Is FAPI All About? – An Overview
Part #03 – How Does the Protection of FAPI 1.0 Profiles Differ?
Part #04 – From FAPI 1.0 to FAPI 2.0: A Comparison of the Security Profiles for OAuth and OpenID Connect
Our Experts Develop the Optimum Solution for You
APIs – OAuth – FAPI
Are you faced with the decision of how to best protect your APIs and customer data? Or are you already using OAuth and wondering if your implementation is secure?
We will be glad to advise you; contact us for a no-obligation initial consultation. Thus, we are at your side with the following services and solutions:
IT Security Consulting | Training | Penetration Test
Don't hesitate and find your way to secure APIs with us. We look forward to supporting you with your projects.
Your Contact for OAuth and secure APIs
Dr. Christian Mainka
christian.mainka@hackmanit.de