What API Authentication Methods Do Banks Use?

In most enterprises, you’ll typically rely on off-the-shelf authentication solutions or libraries rather than having custom mechanisms tailored for the banking sector. For internal API usage, it's best to integrate with whatever enterprise authentication system is in play, like Active Directory or Auth0. This way, you avoid maintaining separate user IDs, aligning user access with the existing HR and security frameworks. For example, using AD group memberships or SAML assertions tied to your endpoints could simplify things significantly. If you're on a VPN with domain-registered clients, consider utilizing Kerberos tokens. Just remember that while you can have a custom authorization database internally, the aim should be to defer authentication to established systems.

When it comes to external APIs, the setup will depend heavily on your clients' requirements. Sometimes they might use AD credentials directly or have a federated authentication scheme. For smaller partners or vendors, you might need to manage user IDs on your end. Always touch base with the bank's security guidelines to ensure you’re on the right track regarding user management and secure protocols. Additionally, server clients could authenticate through methods like bidirectional SSL or IP range restrictions, but just be cautious about the whole dynamic with IPs, especially for sizable infrastructures like AWS.

We just went with Auth0 for our authentication needs. It keeps things simple and straightforward without needing any complicated setups.

Our solution was custom - we rolled our own token minting system. It was big on security but took a bit more work to set up.