How does EBA Single Rulebook Q&A clarify SCA ambiguities?

How Does the EBA Single Rulebook Q&A Clarify Ambiguities in SCA?#

The European Banking Authority (EBA) Single Rulebook Q&A serves as an official reference to resolve ambiguities in the interpretation and implementation of PSD2’s Strong Customer Authentication (SCA) requirements. It provides clarifications for financial institutions, payment service providers, and regulators on how to correctly apply Regulatory Technical Standards (RTS) for SCA.

Key Areas Where the EBA Single Rulebook Clarifies SCA Requirements#

1. Defining Multi-Factor Authentication (MFA) Under PSD2#

• The Q&A specifies that authentication factors must be independent and meet high security standards.
• Clarification: Passkeys, which combine biometrics (something you are) and a hardware-based credential (something you have), are explicitly recognized as compliant with SCA.

2. Exemptions and Low-Risk Transactions#

• The RTS outlines specific exemptions where SCA is not required, but some scenarios remained unclear.
• Clarification: The EBA has provided detailed guidance on how Transaction Risk Analysis (TRA) can be applied for low-risk payments.
• Example: Recurring payments and trusted beneficiaries may be exempt from SCA if they meet defined risk thresholds.

3. Dynamic Linking Requirements for Payments#

• PSD2 mandates dynamic linking, ensuring that authentication is tied to the transaction details.
• Clarification: The Q&A confirms that cryptographic signatures must link the transaction amount and recipient details to the authentication process.
• Best Practice: Passkeys meet this requirement because they sign each transaction securely using WebAuthn cryptographic methods.

4. Use of Biometrics and Device-Bound Credentials#

• The EBA has addressed questions about whether biometric authentication alone satisfies SCA.
• Clarification: Biometrics must be combined with another authentication factor (e.g., a secure passkey) to be SCA-compliant.
• Passkeys inherently meet this requirement when using platform authenticators (Face ID, Windows Hello, etc.).

5. Cross-Border and Interoperability Concerns#

• Many financial institutions raised concerns about how SCA should work across different EU member states.
• Clarification: The EBA has specified that SCA must be applied uniformly across the EU, ensuring consistent security regardless of where a payment is initiated.

How Do Passkeys Align With EBA Guidance?#

• Phishing resistance: Passkeys provide a secure alternative to passwords and OTPs, aligning with EBA’s recommendations for strong authentication.
• Hardware security: Stored in Secure Enclave (Apple), TPM (Windows), or TEE (Android), passkeys meet RTS security requirements.
• Dynamic linking: Passkeys cryptographically sign transaction details, ensuring compliance with EBA-mandated security measures.

Conclusion#

The EBA Single Rulebook Q&A clarifies PSD2’s SCA requirements, ensuring that financial institutions correctly interpret regulatory standards. Passkeys align with EBA’s clarifications, offering a compliant, secure, and user-friendly authentication method that satisfies multi-factor authentication, dynamic linking, and phishing resistance.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →