# Transaction Authentication
source: https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/ta-with-3rdparty/index.md

Once a cardholder's identity is verified and the token is linked to a device, it is essential to authenticate a transaction before performing checkout with the tokenized credentials.

During transaction authentication,

* An Integrator generates the client assertionJWT and provide this information to Mastercard in the Authenticate API request.
* Mastercard then validates that the token is bound to a device for an MFA method instance against which the binding was done.

<br />

An Integrator must use either of the below methods to generate the proof of authentication.

* [FIDO2 Authentication](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/ta-with-3rdparty/index.md#fido2-authentication)
* [Public Key Infrastructure Authentication](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/ta-with-3rdparty/index.md#public-key-infrastructure-authentication)
* [Issuer Authentication](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/ta-with-3rdparty/index.md#issuer-authentication)

### Pre-requisites {#pre-requisites}

1. Conduct [cardholder identification \& verification](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/identification-and-verification/identification-verification-with-mastercard/index.md).
2. [Bind the token](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/token-binding-unbinding/index.md) to an MFA method instance (except when you're using Issuer Authentication).   

Note:   

* In certain use cases, an Integrator may have a separate entity as an Authenticating Entity. Work with your Mastercard Representative to understand if this is valid for your implementation.

* **Data Retention Policy** :   

  Mastercard may retain FIDO attestation data, OS-attested app instance data and/or PKI key attestation data to perform the verification of device binding and transaction authentication when processing the checkout.   

  If a consumer does not authenticate/use the passkey for **13 months** , Mastercard may delete all data related to the device instance, the passkey (FIDO), public key (PKI) attestation, `srcDigitalCardId` along with its corresponding FPAN and the `externalCredentialId`.   

  The Integrator must perform a new ID\&V process to create a new device binding and provide the required data, where applicable, to Mastercard.
Diagram taf-3rdparty-ta

## FIDO2 Authentication {#fido2-authentication}

An Integrator performs authentication using proprietary biometric authentication (built on FIDO2 standards) on their end. These credentials are bound to a device and enables faster checkouts for the cardholder.
Tip:   

* **Attestation**: Attestation is the process in which an authenticator provides evidence about its origin, manufacturer and type, using a cryptographic attestation statement sent during user registration.
* **Assertion**: An assertion is a signed response generated by the authenticator during user authentication, confirming that the user is present on an already attested device.
Note: This solution currently supports only FIDO2 credentials stored on non-synchronized authenticators. Passkeys managed via cloud-based sync services (e.g., iCloud Keychain, Google Password Manager) are not supported.

### Detailed Steps {#detailed-steps}

1. An Integrator/Authenticating Entity generates assertionJWT as detailed out [here](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/authenticating-entity/index.md#generating-assertionjwt).

2. Call the [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API with the following key parameters for Mastercard to validate the proof of authentication:

   * `authenticationMethodType` : FIDO2
   * `authenticationSubject` : CARDHOLDER
   * `authenticator` : Containing FIDO Assertion, client assertionJWT and FIDO related metadata   

   Tip: For a complete sample, see **EXAMPLE - 3P FIDO Assertion Validation** in [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API.
3. As part of [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API response, Mastercard provides the following:

   * `authenticationResult` : AUTHENTICATED
   * `authenticationStatus` : COMPLETE
   * `additionalData` : Containing Base64 encoded Authenticator in assuranceData   
4. After successful FIDO2 validation, Integrator should make the [Checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#checkout) API call and provide the Base 64 Encoded Auth Token (`assuranceData.verificationData.additionalData`) received from the Authenticate response.

   If the FIDO2 validation was not successful, the Integrator can still proceed with the standard [Secure Card on File checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/use-cases/card-on-file/making-payments/index.md), but the transaction will not be authenticated.

## Public Key Infrastructure Authentication {#public-key-infrastructure-authentication}

An Integrator/Authenticating Entity authenticates a transaction using Multi-Factor Authentication (MFA) method based on Proprietary Public Key Infrastructure (PKI) authentication with device bound keys. The device bound keys may be attested by the device's Operating System (OS) platform, unattested or self-attested.
Tip:   

* **Attestation**: Attestation is the process by which a device proves its authenticity and integrity using cryptographic means, by signing data with a private key associated with a known public key or certificate.
* **Assertion**: An assertion is a signed statement, used to authenticate or authorize a user or system, indicating that the access have been validated.

### Detailed Steps {#detailed-steps-1}

1. After a successful token/MFA binding, the Integrator can then use the bound token/MFA method to authenticate the cardholder during subsequent checkout. The Integrator generates the [assertionJWT](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/authenticating-entity/index.md#generating-assertionjwt) and calls the Authenticate API with the following:

   * `cardId`
   * `authenticationReason` : TRANSACTION_AUTHENTICATION
   * `authenticationMethodType` : Proprietary
   * `authenticator` : Containing the `assertion`, `externalCredentialId`, `credentialId` and other parameters.

   Tip: For a complete sample, see **EXAMPLE - 3P PKI Assertion Validation** in [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API.
2. As part of [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API response, Mastercard provides the following:

   * `authenticationResult` : AUTHENTICATED
   * `authenticationStatus` : COMPLETE
   * `additionalData` : containing Base64 encoded Authenticator in `assuranceData`   
3. After successful PKI validation, Integrator should make the [Checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#checkout) API call and provide the Base 64 Encoded Auth Token (`assuranceData.verificationData.additionalData`) received from the Authenticate response.   

   If the PKI validation was not successful, the Integrator can still proceed with the standard [Secure Card on File checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/use-cases/card-on-file/making-payments/index.md), but the transaction will not be authenticated.

## Issuer Authentication {#issuer-authentication}

An Authenticating Entity authenticates a transaction using a proprietary integration with the Issuer, who generates the proof of authentication, known as Issuer Authentication Assurance Value (IAAV).
Note: For Integrators choosing IAAV for transaction authentication,   

* [Cardholder identification \& verification](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/identification-and-verification/identification-verification-with-mastercard/index.md) is a pre-requisite.   

* Binding is not a pre-requisite and can be skipped.

### Detailed Steps {#detailed-steps-2}

1. An Authenticating Entity generates the proof of authentication on their end with required values such as:

   * `txID`
   * `txAmount`
   * `txCurrencyCode`
   * `accountNumber`
   * `accountExpiry`
   * `version`
2. The Integrator calls the [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API with the following key parameters for Mastercard to validate the proof of authentication:

   * `authenticationMethodType` : IAAV
   * `authenticationSubject` : CARDHOLDER
   * `assuranceData`

   Tip: For a complete sample, see **EXAMPLE - IAAV/TxAV Validation** in [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API.
3. As part of [Authenticate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API response, Mastercard provides the following, which you can use to call the [Checkout](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#checkout) API:

   * `authenticationResult` : AUTHENTICATED
   * `authenticationStatus` : COMPLETE
   * `additionalData` : containing Base64 encoded AuthToken in `assuranceData`

Tip: You can disregard any additional fields identified in Requests or Responses or API specs that are not defined as part of documentation.
