# Authentication Facilitator source: https://developer.mastercard.com/authentication-facilitator/documentation/index.md ## Overview {#overview} The Authentication Facilitator API is a building block of the Mastercard Authentication Service that enables MDES token requestors to authenticate cardholders leveraging cardholder information maintained by card issuers. The Token Requestor determines when cardholder authentication has to take place for its own program. The Token Requestor is also responsible for specifying and implementing the actions required by the business logic resulting from the authentication code validation information returned by the Authentication Service. Authentication is performed based on a Mastercard-generated authentication code that the card issuer sends over to the cardholder. The Authentication Facilitator API provides the outbound web request to notify issuers of an authentication code to provide to an account holder. The Authentication Service can be called at any time. The Mastercard Authentication Service can be applied to any MDES token type, regardless of the card product, and to any Token Requestor program. The behavior of the service is not driven by the token type, the token requestor program, or its context of use. **However the use of the Mastercard Authentication Service, and thereby, the Authentication Facilitator API is restricted to certain business contexts requiring Mastercard approval.** Note: For avoidance of doubt, the Mastercard Authentication Service is not applicable to the digitization of a card where an activation code can be used to activate a token. The service is for already provisioned MDES tokens. Please refer to the MDES Pre-digitization process documented in the [MDES Issuer Implementation Guide](https://techdocs.mastercard.com/bundle/m_MIIG/page/r_SmryChngsMIIG.html) for information on cardholder authentication during card digitization. ## Key Benefits {#key-benefits} * Potential to authenticate any consumer holding an MDES token. * Enable new digital business cases requiring cardholders authentication. * Endless business cases requiring cardholder authentication, driven by Token Requestors. * Leverage cardholder information maintained by card issuer. ## How It Works {#how-it-works} The Authentication Service can be used only by Token Requestors who are integrated with MDES and whose Token Requestor IDs (TRIDs) are specifically enabled for the Authentication Service. Once enabled, Token Requestors can request authentication for MDES tokens whose card issuers are onboarded to the Authentication Service. All tokens associated with the MDES-enabled cards of an issuer can be authenticated when the card issuer participates with the Authentication Service. Only MDES integrated card issuers can integrate with the Authentication Service and issuers are not automatically opted in. The following diagram shows the relationship between the participants in the Mastercard Authentication Service. ![authentication-service-workflow-issuer](https://static.developer.mastercard.com/content/authentication-facilitator/uploads/authentication-service-workflow-issuer.png) The following table shows the activities for the Authentication Service participants. | Participants | Activities | |------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Token Requestor | * Determines when authentication is required in accordance with their program requirements * Sends authentication requests to the Authentication Service * Manages cardholder interaction for obtaining an authentication code to submit for validation to the Authentication Service. Token Requestors may support different user experiences and processes. For example, in some cases, a Token Requestor could prompt the user to enter the authentication code, whereas in other cases, the Token Requestor would not require any user involvement. They could scan the cardholder's mobile phone SMS from the issuer, detect an authentication code and request the validation to the Authentication Service * Determines how the authentication results affect the program when processing authentication request responses. The Authentication Service responds with one of the following authentication code validation results: * **Success:** The submitted code matches the Mastercard-generated code for the token and the authentication request identifier. Consequently the authentication is successful * **Incorrect code and re-tries are not exceeded:** The submitted code does not match the Mastercard-generated code for the token and the authentication request identifier. The authentication is not successful but attempts to request a code validation are permitted * **Incorrect code and re-tries are exceeded:** The submitted code does not match the Mastercard-generated code for the token and the authentication request identifier. The authentication is not successful and further attempts to request a code validation are not allowed as they exceeded the maximum limit * **Expired code:** The authentication code has expired or was invalidated | | Cardholder | * May be informed by their card issuer of the process when authentication using a code is performed * Enters the authentication code on the Token Requestor interface, depending on the Token Requestor's experience * Requests re-sending of an authentication code when none are received, depending on the Token Requestor's experience | | Authentication Service | * Processes Token Requestor authentication requests for a MDES token by generating an authentication code and sending it along with the Account PAN mapped to the token * Processes Token Requestor requests to validate an authentication code and provides the authentication results | | Card Issuer | * May inform their cardholder of the process when authentication using a code is performed * Process messages from the Authentication Service notifying to send an authentication code to the cardholder identified using the funding account information |