We have implemented the industry standard oAuth 2.0 authentication and authorisation model. When using TrueLayer, an application will never need to access or store credentials or security details, but instead simply redirect the end-user to our secure and customisable “Authorisation Dialog” and receive Tokenised Access to the customer’s data. Our authentication model includes fine-grained permissions and explicit consent. The end-user will:
- Be redirected from the Application to TrueLayer;
- Select their bank among the different banks and providers that we support;
- Securely share login credentials, without disclosing them with the recipient application;
- Grant fine-grained permissions to the application;
- Provide explicit user consent through a streamlined user experience.
TrueLayer offers a unique security model that significantly reduces the attack surface to safeguard the privacy of shared credentials. In our model, end-users’ credentials are:
- Never accessible by the Application (TPP);
- Never accessible by TrueLayer;
- Always encrypted while in flight and at rest.
In our security scheme, user credentials and login details are encrypted with a uniquely generated key, enciphered with AES-256 and the encryption key is embedded in the Access token that is sent to the application and never stored by TrueLayer.