Web banking authentication security
Mobile trust is a hardware key.
What does the browser hold instead?
A concept-learning portal for the web security layer a mobile bank needs when it adds web banking — FAPI 2.0, DPoP, PKCE, sender-constrained tokens, and the rest of the stack, built as the explanation itself rather than a summary of one.
The mobile→web problem
A full mobile bank runs on a hardware root of trust: a private key in the phone’s secure enclave, gated by biometrics, signing a hash into every request so the backend knows the call came from that bound device. Now the bank is adding web banking — and the browser gives you none of that for free. This portal works out what the web security layer has to be to hold the same bar for UK/EU banking, and teaches every concept it touches.
It’s a learning artifact, not a product. I built the explanation rather than reading one — the fastest way to understand something well enough to explain it to a client.
The core problem
Mobile security rests on hardware you control. The browser doesn’t offer an equivalent. So the web strategy is two moves: get as close to hardware binding as the browser allows (passkeys + sender-constrained tokens), then compensate for the residual gap with layered risk signals. Every page here hangs off that one diagnosis.
Five layers of trust
The whole domain decomposes into eight capabilities across five layers. The Capability Map is the architecture; the Atlas is the full concept glossary.
| Layer | Question it answers | Capabilities |
|---|---|---|
| Establish | Who is the user? | User authentication (C1) |
| Bind & maintain | Is every request from the real, bound client? | Device binding & request integrity (C2) |
| Protect | Is the browser environment safe? | Browser-side security (C3) · anti-phishing (C4) |
| Enforce | Where is policy applied? | Gateway / API edge (C5) |
| Judge | Is this session actually risky? | Fraud & device intelligence (C6/C7) · risk decisioning (C8) |
Where to start
- Atlas — every concept, grouped, one line each.
- Capability Map — the eight capabilities and how they stack.
- FAPI 2.0 — the bank-grade rulebook for OAuth.
- Sender-Constrained Tokens — the direct web heir to the mobile per-request hash.
- Try It — poke the concepts: decode a token, generate a PKCE pair, watch a stolen token fail.
Operating principle: speed of learning beats speed of shipping. A narrow set of concepts understood completely and shown interactively beats a broad glossary understood vaguely.