2 Way Mutual Auth

Another security mechanism which I believe should be mandatory although many institutions don’t feel so, it's an important security mechanism to have in place if you are exchanging some kind of transactional data or in fact committing transactions between 2 different businesses, typical use case for this would be “Transaction Banking” where a merchant or a corporate customer is connecting to your institution via Internet via an API connection and pushing transactions, since this is an arrangement where this type of transaction is coming from the internet directly on your hosted API, there should be additional levels of security controls to make sure that no unauthorized individual should be able to use this API and push transactions

Under normal circumstances when we connect to an API over SSL connection, we only have the "Server certificate" being validated by the client and the server never actually validates the "client certificate" that means the authenticity of client certificate is not validated. Let's just try and understand this using an analogy, imagine you have a fraudster visiting your home posing as a government employee and asking you your personal ID details such as Aadhar number or Bank account number, if you are not diligent enough you would just share the details with the executive thinking that its some government employee but that fraudster can misuse that data, only if you would have asked the fraudster his ID you could have come to know that he is not a government employee and can avoid the fraud, this is exactly what 2 way mutual authentication is,, one system wants to allow another system to do transactions but before the transaction happens on the SSL channel, the Client certificate should also be validated by the server who is going to allow transactions

Basically, this is something which is mandatory for API banking where a Bank exposes its APIs on the internet and allows corporates to commit transactions using these APIs, since these are Internet exposed APIs these are protected by 2-way Mutual auth where the client certificate is also validated.

Technically this happens in such a way that in every API connection request the client would pass its own certificate as well so that the connection only succeeds once the server has validated the client certificate.