Glossary / Authentication
Client-Initiated Backchannel Authentication
CIBA (Client-Initiated Backchannel Authentication) is an OpenID Connect flow that lets an application start authentication on a separate device, so a user approves a request on their phone while interacting with a terminal, agent, or call center.
Also: ciba
CIBA decouples the device that requests authentication from the device where the user approves it. The application, called the consumption device, sends an authentication request directly to the identity provider over a back channel. The provider then prompts the user on their registered authentication device, such as a phone.
This differs from the redirect-based flows where the user authenticates in the same browser session that started the request. With CIBA, there is no browser redirect at all; the consumption device polls or waits for a notification while the user approves out of band.
The flow fits scenarios where the requesting device has a poor or untrusted input experience: a point-of-sale terminal, a smart device, or a call-center agent who needs the customer to approve an action on their own phone.
For CIAM, CIBA supports transaction confirmation and agent-assisted authentication, letting a business verify a customer through a trusted personal device without exposing credentials on a shared or public terminal.
Sources
- OpenID Connect CIBA Core 1.0: https://openid.net/specs/openid-client-initiated-backchannel-authentication-core-1_0.html
Related terms
Standards
- OpenID Connect CIBA Core 1.0