Ping Achieves FAPI 2.0 Certification

I was thrilled to get the news from one of our teammates at Ping that we had achieved FAPI 2.0 certification and were one of the first companies to do so. 

I’ve been involved in identity standards for a long time—from the old SAML interop testing days to OAuth to OpenID Connect and now FAPI. It is great to see open standards continuing to grow and thrive.

For those that are new to the space, FAPI is a set of specifications developed by the OpenID Foundation that aims to define a secure and standardized framework for implementing APIs. The OpenID Foundation is a non-profit open standards body with a vision to help people assert their identity wherever they choose and a mission to lead the global community in creating identity standards that are secure, interoperable, and privacy-preserving. 

One of the OIDFs strengths is creating identity protocols that serve billions of consumers across millions of applications. Although each protocol is unique, they all share a common goal—to allow the secure sharing of identity attributes and resources in a standardized and interoperable manner.

FAPI 1.0 really took off once it was created. It provided a well-specified interoperable framework to protect APIs used for the transmission and receipt of sensitive financial information. 

A formal security analysis and a self-service certification suite added even more to the attraction. It grew from its initial adoption as part of the UK open banking initiative to now being adopted by banking in the UK, Australia, New Zealand, Brazil, USA, Saudi Arabia, and more. And it continued to spread from there, with more and more industries adopting the FAPI framework for the same security and interoperability that had driven its adoption in the financial services industry.

Now, we have a new evolution, FAPI 2.0. FAPI 2.0 builds on and simplifies FAPI 1.0, providing for existing use cases and some important new ones. FAPI 2.0 has a broader scope than FAPI 1.0. It aims for interoperability between the client and the authorization server, as well as interoperable security mechanisms for the interface between the client and the resource server.

In addition to increased interoperability, the protocol is also easier to implement while still maintaining a comparable level of security, as It is based on OAuth and other related specifications rather than relying on OpenID Connect and has removed much of the previous optionality in FAPI 1.0.

FAPI 2.0 also introduces client authentication, mandatory encryption, and advanced token management. As far as identity goes, It focuses on strong user authentication and consent management, ensuring that sensitive information is accessed only by authorized entities.

The FAPI 2.0 profile that Ping initially passed is the Australian FAPI 2.0 ConnectID profile. ConnectID is an open, standards-based national identity infrastructure. It brings together a large group of identity providers to allow users to verify who they are using organizations they already trust. 

ConnectID in Australia adopted FAPI 2.0 for their ecosystem and funded the FAPI 2.0 conformance test suite development, as noted in this announcement last year.

Ping is working with several major Australian banks to facilitate their IdP capability within the ConnectID ecosystem. In addition, the good news for consumers is that soon they will have the ability to verify their identity using organisations they trust without their personal data being stored by ConnectID, who will only share the personal data that consumers give consent to share.

We at Ping are very proud of achieving compliance with the current FAPI 2.0 certifications and I am excited we are trailblazing the way to being on the leading edge of this important work.