# Binding and Unbinding
source: https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/token-binding-unbinding/index.md

After completing the cardholder identity and verification (ID\&V), the Integrator initiates the device binding process where a token (`srcDigitalCardId` associated with a card) is linked to an MFA method instance (associated to the consumer device), which can be used for cardholder authentication (for example - device biometric) for future transactions.

The Integrator sources the attestation data, generates client assertionJWT, and signs the JWT using MFA private key. Next, the Integrator provides the assertionJWT to Mastercard in the Bind API request.

An Integrator can choose from one of the following options to perform binding:

* [FIDO2 Binding](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/token-binding-unbinding/index.md#fido2-binding)
* [Public Key Infrastructure (PKI) Binding](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/token-binding-unbinding/index.md#public-key-infrastructure-binding)

### Pre-requisites: {#pre-requisites}

* Complete [cardholder identification \& verification](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/identification-and-verification/identification-verification-with-mastercard/index.md) to obtain the ID\&V proof.
* Enroll the customer in a Mastercard-compliant MFA method instance, and create a key pair.

Warning: The proof of ID\&V expires if the binding is not completed successfully within **five** minutes of performing the ID\&V, in which case, the Integrator has to repeat the ID\&V process. Diagram taf-token-binding-new2 Note: In certain use cases, an Integrator may have a separate entity as an Authenticating Entity. Work with your Mastercard Representative to understand if this is valid for your implementation.

## FIDO2 Binding {#fido2-binding}

This binding flavour enables Integrators to bind a user's biometric credentials using FIDO2 standards. This involves submitting attestation or assertion data along with proof of identity verification (ID\&V), allowing secure, passwordless authentication aligned with Mastercard's Token Authentication Framework.

The Integrator must pass the attestation and assertion data in the Bind API request against which the binding will happen.
Tip:   

* **Attestation**: Attestation is the process in which an authenticator provides evidence about its origin, manufacturer and type, using a cryptographic attestation statement sent during user registration.
* **Assertion**: An assertion is a signed response generated by the authenticator during user authentication, confirming that the user is present on an already attested device.

### Pre-requisites {#pre-requisites-1}

Set the following:   

* For a new non-synced key,   
  * Provide FIDO2 attestation in `authenticator.credentials.attestation` object.   
  * Set User Verified Flag as 1 in `attestation.response.attestationObject` object.   
* For an existing non-synced key,   
  * Provide FIDO2 assertion in `authenticator.credentials.assertion.device` object.   
  * Set User Verified Flag as 1 in `authenticator.credentials.assertion.device.response.authenticatorData` object.   

Note: This solution currently supports only FIDO2 credentials stored on non-synchronized authenticators. Passkeys managed via cloud-based sync services (e.g., iCloud Keychain, Google Password Manager) are not supported.

### Detailed Steps: {#detailed-steps}

1. The Integrator passes the following parameters in the [Bind API](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication):
   * `srcClientId`
   * `srcCorrelationId`
   * `srcDpaId`
   * `assuranceData` with the proof of ID\&V within the `additionalData`
   * `consumerDeviceData`
   * `authenticator` with correct `attestation`, `assertion`, and `metadata` values   

Tip:   

* For new binding, `externalCredentialId` is required. For existing binding any one of the identifiers must be available:

  * `externalCredentialId` or
  * `credentialId`
* For a complete sample, see **EXAMPLE - 3P FIDO MFA with MA 3DS Binding** in [Bind](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API.   

* To learn how to generate bindingAssertion, see the section detailed [here](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/authenticating-entity/index.md#generating-bindingassertionjwt).

2. Mastercard verifies the attestation/assertion and shares the Bind API response along with `externalCredentialId`.

## Public Key Infrastructure Binding {#public-key-infrastructure-binding}

This binding flavour enables Integrators to bind a user's authentication credentials using their own public key infrastructure (PKI). This involves submitting attestation or assertion data along with proof of identity verification (ID\&V), allowing secure authentication aligned with Mastercard's Token Authentication Framework.

The Integrator must pass the attestation and assertion data in the Bind API request against which the binding will happen.
Tip:   

* **Attestation**: Attestation is the process by which a device proves its authenticity and integrity using cryptographic means, by signing data with a private key associated with a known public key or certificate.
* **Assertion**: An assertion is a signed statement, used to authenticate or authorize a user or system, indicating that the access have been validated.

### Detailed Steps: {#detailed-steps-1}

1. Authenticate the cardholder challenge and run the 3rd party PKI MFA user enrollment/PKI authentication, and create a key pair.

2. For successful token/MFA binding, provide the proof of Issuer ID\&V and the PKI public key-related information in the MFA [Bind API](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) and pass the following:

   * `srcClientId`
   * `srcCorrelationId`
   * `srcDpaId`
   * `assuranceData` with the proof of ID\&V within the `additionalData`
   * `consumerDeviceData`
   * `authenticator` with correct `attestation`, `assertion`, and `relyingParty` values   
     * `attestation` and `assertion` should follow Mastercard format:

       ```javascript
       {
         "keyId": "string -- Platform generated", 
         "attestationObject": "Base64(CBOR())", 
         "clientDataJSON": "Base64Encoded" 
       }
       ```

       <br />

       ```javascript
       {
         "device":
         {
           "assertionObject": "Base64(CBOR())", 
           "clientDataJSON": "Base64Encoded" 
         }
       }
       ```

Tip:   

* For new binding, `externalCredentialId` is required. For existing binding any one of the identifiers must be available:

  * `externalCredentialId` or
  * `credentialId`
* For a complete sample, see **EXAMPLE - 3P PKI MFA with Issuer OTP Binding** in [Bind](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) API.   

* To learn how to generate bindingAssertion, see the section detailed [here](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/token-authentication/secure-card-on-file/by-third-party/authenticating-entity/index.md#generating-bindingassertionjwt).

3. Mastercard verifies the attestation/assertion and shares the Bind API response along with `externalCredentialId`.

## Unbinding {#unbinding}

The [Delete MFA Method API](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) deletes the previously stored PKI public key and attestation data associated with the MFA method instance. Use this API in cases of lost/stolen device, account closure from merchant's website, or inactive/expired card.
Diagram taf-token-unbinding

### Detailed Steps: {#detailed-steps-2}

Call the [Delete MFA API](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication) and pass the following required values:

Use this to unbind all bindings under app instance or the credential.

* `srcClientId`   
* `mfaIdType` (`INTERNAL`/`EXTERNAL`. Default is `EXTERNAL`)   
* `certifiedSolutionId`   
* `serviceId`   
* `externalCredentialId`

<br />

Use this to unbind all bindings under app instance or the credential.

* `srcClientId`   
* `mfaIdType` (`INTERNAL`/`EXTERNAL`. Default is `EXTERNAL`)   
* `certifiedSolutionId`   
* `serviceId`   
* `credentialId`
Use this to Unbind a given srcDigitalCardId only for that specified credential Instance.   

* `srcClientId`
* `mfaIdType` (`INTERNAL`/`EXTERNAL`. Default is `EXTERNAL`)
* `certifiedSolutionId`
* `serviceId`
* `externalCredentialId` or `credentialId`
* `resourceId`
* `resourceIdType` (Default is CARD)
Tip: You can disregard any additional fields identified in Requests or Responses or API specs that are not defined as part of documentation.
