In high-risk environments like online banking,
the security of authentication and authorization is of utmost importance. In this work, we formally analyzed the OpenID
Financial-grade API, which is based on the OAuth protocol but extended by many new security
mechanisms. The Financial-grade API is currently being
adopted by major banks in the UK for giving third-party providers access to their services
and is one of the most promising protocols for implementing the new European Payment
Services Directive, and even beyond Europe, many financial institutions are opening their
services to third-party providers.
We formally analyzed the Financial-grade API
using the WIM, the most comprehensive model for the web infrastructure to date. Through the formal analysis, we found several
new attacks on the Financial-grade API, but we also propose fixes and prove that our fixed
model of the protocol fulfills our security properties. See you at the conference!.