Starting September 2019, new EU regulations require on-line transactions to go through two-or-more steps multi-factor authentication (MFA), also referred to as Strong Customer Authentication (SCA). This means that when a customer will be performing an online transaction on mobile devices, TV devices or even on desktop, in order to complete the transaction they will be redirected to complete a multi-step authentication with their own bank. The steps in the authentication process may vary from bank to bank.
Impact on apps and games published on Amazon Appstore
The good news for app and game developers who have published apps on Amazon Appstore and have correctly integrated the Amazon In-App Purchase SDK is that there are no further action required, as the multi-factor authentication process will be automatically handled by Amazon.
This is true for apps targeting any Amazon Fire device like Amazon Fire tablets and Amazon Fire TV and including the Amazon Appstore app for Android.
Verify your app correctly handles multi-factor authentication during in-app purchase transactions
If you want to make sure your apps’ implementation of in-app purchase is ready for MFA, you just need to verify that the app correctly follows the steps described in our in-app purchase documentation on the Amazon Developers portal.
The multi-factor authentication system used by Amazon follows the “pessimistic fulfilment” approach.
The “pessimistic fulfilment” approach means that if the customer correctly completes all the steps necessary to satisfy the multi-factor authentication, then the transaction will be correctly processed as successful. In regards of the Amazon in-app purchase implementation, this means the method response.getRequestStatus() in onPurchaseResponse() will return case SUCCESSFUL. At this stage the in-app item can then be fulfilled to the customer.
However, if anything happens during the “challenge phase” of the MFA process (when the customer is prompted to go on their bank’s multi-factor authentication system), for example the customer clicks the “back button” or exits the window showing the MFA challenge, then the response.getRequestStatus() method will return case FAILED, and your app will need to gracefully manage the failed transaction.
Note: There’s one exception to pessimistic fulfillment, and that is for subscriptions with free trial: when customers purchase a subscription with a free trial, the purchase will be fulfilled optimistically, without presenting an MFA challenge. The MFA challenge will be then mandated when free trial expires.
The customer purchase flow with multi-factor authentication on Amazon devices
How the MFA-based customer purchase flow is handled depends on the device capabilities in which the purchase transaction happens. There are two types of MFA purchase flows: “In-band MFA” and “out-band MFA”.
1. In-band MFA: During the purchase flow, the redirection to their bank’s MFA page happens on the same device. The customer doesn’t need to open the retail website to perform the MFA challenge, as the device itself has the browser compatibility required to redirect to their bank’s MFA page. This applies to Amazon Fire tablets (models released in 2013 and beyond) and Android devices with Amazon Appstore app installed.
2. Out-band MFA: During the purchase flow, the customer has to explicitly open a link to the Amazon retail website (which is provided via email) in order to complete the MFA challenge as the device in which the purchase is initiated falls in one of the below category:
a. Amazon Fire TV devices
b. Devices which don’t have browser compatibility.
c. Devices not upgraded to latest build.
Discover more about the Amazon In-App Purchase SDK and how to add it to your apps
If you’re interested in finding out more about Amazon in-app purchase and how to add it to your Android and web apps, please see Amazon In App Purchase Overview.
You can also download a free step-by-step tutorial eBook focused on adding in-app purchases to Android Apps here: Free eBook – How to Add Amazon In-App Purchases and Subscriptions to Android Apps
- Mario Viviani (@mariuxtheone)
Source: Alexa