Date of Award

Fall 9-2020

Document Type


Degree Name

Bachelor Degree


Computer Science

First Advisor

Ramiz Hoxha

Second Advisor

Ludwig Adam

Third Advisor

Max Gröning




Online banking is growing fast, and customers are becoming increasing more comfortable with it than with the traditional bank services. Banks have to remain up to date with the latest trends in technology to satisfy customers’ demands for their everyday usage of banking services. Various banks often offer mobile applications with many features so that the user does not have to talk over the phone or chat via the internet with customer support, or even to physically go to the bank branch. When a bank releases its own online banking app for smartphones, the customer is likely to download it and start using it, as it is typically the only available choice. This certainly represents a secure way of accessing the bank account information, since there is no third party between the bank and the customer, regardless of the limitations that the online banking system can have.

According to a new European directive, called PSD2, all EU banks must set up online banking interfaces, which should be opened for access by third parties. Third parties could be social media platforms, video games or even virtual banking apps. The entities referred to as third party providers in PSD2 can perform every online banking service, such as downloading revenue and transaction statementsor making transfers, the same services which before only the bank could offer. This is expected to certainly encourage third party providers to compete for bringing attractive solutions for customers.

Of course, a third party provider will be able to mediate such sensitive information, only after the customer gives permission to the provider for the service in question. For a secure way of giving permission, PSD2 presented the so-called Strong Customer Authentication. Strong Customer Authentication, shortly known as SCA, is a new European regulatory requirement that aims to reduce fraud and make online banking services more secure. For security reasons, SCA is done without the mediation of the third party provider, so it is a complete process between the customer and the bank. This way of authentication requires the usage of at least two out of three private elements of the customer, which could be: something that the customer knows (for example a password or a PIN), something that the customer has (for example a phone or a hardware token) or something that the customer is (for example his/her fingerprint or face recognition).

In this thesis the role of a third party in the process of SCA is explained. Regarding PSD2, one of the ways to perform SCA is by doing an Authorization Code Flow of the OAuth protocol. In this case the third party provider is the client application and the bank – or as it is called in PSD2, the Account Service Payment Service Provider (ASPSP) –is the authorization server. The main focus of this thesis is the design and the implementation of the SCA using the OAuth Approach.

In addition, this thesis also elaborates the design of a PSD2-compliant XS2A Client, which is able to communicate with multiple complex interfaces of different banks. The XS2A Client offers a unified and protected REST API which wraps the PSD2-required services.

This thesis is developed in cooperation with petaFuel GmbH and the code for its implementation waswritten in Java as an open source project.