Join our upcoming Webinar on Passkeys for Australian Enterprises

What is Strong Customer Authentication (SCA) under PSD2?

Vincent Delitz

Vincent

Created: January 31, 2025

Updated: April 30, 2025

psd2 passkeys

Read the full article

Are passkeys the best form of phishing-resistant MFA that is compliant with PSD2 and SCA requirements? This blog post answers all the questions.

Read the full article

Read by 5,000+ security leaders.


What is Strong Customer Authentication (SCA) under PSD2?#

Strong Customer Authentication (SCA) is a security requirement introduced by PSD2 (Revised Payment Services Directive) to
enhance the security of online payments and reduce fraud. SCA
mandates that financial institutions and payment service
providers implement multi-factor authentication (MFA) for electronic transactions, ensuring that only legitimate users can access accounts and approve
payments.

strong customer authentication psd2

SCA Requirements#

To comply with SCA, authentication must involve at least two of the following three
factors
:

  1. Knowledge – Something the user knows (e.g., a password or PIN).
  2. Possession – Something the user has (e.g., a smartphone, hardware token, or
    smart card).
  3. Inherence – Something the user is (e.g., biometrics like fingerprints or facial
    recognition).

How SCA Works in Online Payments#

SCA applies to most electronic payments within the European Economic Area (EEA). For
example:

  • A customer logging into an online banking account may need to
    provide both a password (knowledge) and confirm the login via a mobile push
    notification (possession)
    .
  • A user making an online payment may be required to authenticate
    using biometrics (inherence) and approve the payment
    through their banking app (possession).

Exemptions to SCA#

Certain transactions may be exempt from SCA, such as:

  • Low-value transactions (below €30).
  • Recurring payments (e.g., subscriptions).
  • Transactions deemed low-risk based on fraud analysis.

SCA and Passkeys#

Traditional authentication methods like passwords and SMS OTPs are still widely used but
are vulnerable to phishing attacks. Passkeys, based on WebAuthn and
FIDO2, offer a phishing-resistant alternative by leveraging
cryptographic authentication and device-bound credentials. Banks and fintech companies
implementing passkeys can meet SCA requirements while improving both security and user
experience
.

Passkeys enable strong authentication PSD2 compliance by leveraging cryptographic key pairs and device-bound credentials for seamless, phishing-resistant logins.

By enforcing Strong Customer Authentication (SCA), PSD2 enhances transaction
security, reducing fraud risks and increasing trust in digital banking and online
payments
.

Read the full article#

psd2 passkeys

Read the full article

Are passkeys the best form of phishing-resistant MFA that is compliant with PSD2 and SCA requirements? This blog post answers all the questions.

Read the full article

Read by 5,000+ security leaders.

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.

Start for free

Enjoyed this read?

🤝 Join our Passkeys Community

Share passkeys implementation tips and get support to free the world from passwords.

🚀 Subscribe to Substack

Get the latest news, strategies, and insights about passkeys sent straight to your inbox.

Share this article


LinkedInTwitterFacebook