Authentication factors
Learn how authentication factors work on the hosted webpage
Mangopay is delivering SCA via a unique session on a hosted webpage. The URL for the session is returned on relevant API calls, and your platform needs to redirect the user to complete the session – see SCA session for details on how to do this.
The hosted webpage solution allows your platform to integrate SCA in a secure and seamless way for all necessary actions. The same session can be used for enrollment of the user when their account is created.
On the hosted webpage of Mangopay’s SCA session, the user can take all steps necessary to enroll and authenticate using the factors required by regulations.
Mangopay is providing the following authentication factors.
| Availability | Factor | Type | Description |
|---|---|---|---|
Available | Knowledge | The individual enters a 6-digit code they defined during enrollment. | |
Available | Phone-based one-time passcode (OTP) | Possession | The individual receives a 6-digit OTP via SMS to the phone number provided during enrollment. |
Note – Session lifetime 10 minutes
The unique SCA session is valid for 10 minutes once the PendingUserAction.RedirectUrl is returned by the API.
During this time, the individual must complete all necessary steps for all factors for the session to be considered successful.
The session is identified by the unique token in the RedirectUrl. So if the user refreshes the screen, or closes and re-opens the same link, then they can continue using the same session within 10 minutes.
PIN
The PIN factor relies on a 6-digit code defined and memorized by the individual, which they enter during the session.
Enrollment
To enroll, the individual:
- Defines a 6-digit PIN
- Re-enters the 6-digit PIN a second time to ensure a match
- Clicks Save to confirm
- Enters their PIN defined previously
Authentication
To authenticate, the individual:
- Enters their PIN defined previously
OTP
The OTP factor relies on a temporary 6-digit code sent to the individual’s phone, which they can enter during the session.
Note – OTP lifetime 5 minutes
While the SCA session is valid for 10 minutes, once the user clicks the button to send the SMS, the code is valid for 5 minutes.
The user can request a new code after 30 seconds, even if the first one hasn’t expired.
Enrollment
To enroll, the individual:
- Enters their mobile phone number (or confirms the pre-populated number, if
PhoneNumberwas present in the API call to create or update the user) - Clicks a button to send the SMS
- Enters the 6-digit code received by SMS
Authentication
To authenticate, the individual:
- Clicks a button to send the SMS
- Enters the 6-digit code received by SMS
Test data
In Sandbox, you can use the phone number 0611111111 and FR (+33611111111) with the passcode 702100 to simulate a successful flow. You can also send this data in the PhoneNumber (or LegalRepresentative.PhoneNumber) to pre-populate the field.
You can also test by using a real phone number to receive the SMS OTP.
Handling phone number data
Mangopay’s SCA session allows the individual to provide their phone number directly to Mangopay. This data is not shared with your platform for privacy reasons. The same phone number can be used with more than one user account.
Your platform can send the user’s phone number to Mangopay via the API – in the PhoneNumber parameter of the Natural User or the LegalRepresentative.PhoneNumber of the Legal User.
If the phone number data is present in the user object, then the field is pre-populated for the user to confirm or modify.
Note – SCA session phone number doesn’t update API
The phone number provided or confirmed by the user during the SCA session is not subsequently updated in the User API object.
Changing the PhoneNumber or LegalRepresentative.PhoneNumber data in the API object triggers SCA re-enrollment (read more).