Challenges
By both being part of the banking sphere and having a large partner network, APIs and shared digital solutions are essential parts of the business and continue to increase in importance.
Working with APIs was not new to Volvofinans Bank. Instead the process of finding a solution sprung from a general feeling that they had too many different solutions for API security and identity management. Some APIs were used by third party providers, that’s being verified by an Open Banking trust framework. Other API consumers were Volvofinans’ own web and mobile applications, but also partner applications. Each product/API had its own way of addressing authentication and authorization, and even though some common solutions had been developed they weren’t widely used - they needed a standardized, ONE approach to identity management.
The existing solutions were evaluated for this purpose but was dismissed as too complicated to configure and not able to scale up in the way Volvofinans Bank needed it to. After a thorough review process Volvofinans Bank chose the Curity Identity Server because of its scalability, flexible login options and broad OAuth and OpenID Connect support.
Solution
Flexible login: Powered by the flexibility of the Curity Identity Server, authentication can now be done in many different ways, via built-in capabilities or using external services. The user-facing screens and the flows were possible to tailor to satisfy User Experience (UX) requirements.
Banking-grade security: Using features such as JWT assertion grant type and asymmetrically signed JWTs and mutual TLS for client authentication has given Volvofinans Bank secure ways of issuing access tokens. This helps deliver banking-grade security because these tokens can be tied to a private key that only this client has. Then, when the API is called, it knows that the token was indeed issued to that client application.
Configuration and Operations: Volvofinans is a 24/7 operation, part of providing a secure service is an available, always up identity infrastructure. The vast management features in the Curity product and being built for automation and DevOps makes it straightforward to operate a complex environment with the highest requirements on availability.
We as developers are hands-on professionals and with Curity we get to speak directly to Curity developers instead of going via a non-technical account manager. That makes design conversations so much easier.
Results
Empowered by the Curity Identity Server, Volvofinans Bank have created a very capable platform for Identity and Access Management that is rolled out across their digital services.
We have great confidence in the Curity team in discussions, you can tell they are specialists and know their product. They’re a much-appreciated sounding board.
