What is SCA and why is it essential under PSD2?

Q: What is SCA and why is it essential under PSD2?

Strong Customer Authentication (SCA) is a security requirement under PSD2 that mandates multi-factor authentication for online payments. It enhances security by requiring at least two authentication factors: something you know (password), something you have (device), or something you are (biometrics). SCA prevents unauthorized transactions, reduces fraud, and builds consumer trust. Passkeys provide an SCA-compliant, phishing-resistant authentication method that improves security while simplifying the user experience.

Banking Passkeys Report. Practical guidance, rollout patterns, and KPIs for passkey programs.

Get the Report

What Is Strong Customer Authentication (SCA) and Why Is It Essential Under PSD2?#

What Is SCA?#

Strong Customer Authentication (SCA) is a European regulatory requirement introduced under the Revised Payment Services Directive (PSD2). It mandates the use of multi-factor authentication (MFA) for electronic payments to enhance security and reduce fraud.

Why Is SCA Required Under PSD2?#

PSD2 was designed to create a more secure and competitive digital payment ecosystem within the EU. SCA is essential because:

It prevents unauthorized transactions by requiring at least two authentication factors.
It reduces fraud risks, particularly for card-not-present transactions.
It increases consumer trust in digital banking and payment services.

How Does SCA Work?#

SCA requires authentication using at least two of the following three factors:

Something You Know (e.g., password, PIN)
Something You Have (e.g., smartphone, security key)
Something You Are (e.g., fingerprint, facial recognition)

This means one-time passwords (OTPs) sent via SMS are not sufficient on their own unless combined with another factor.

Enterprise Passkey Whitepaper. Practical guidance, rollout patterns, and KPIs for passkey programs.

Get Whitepaper

When Is SCA Required?#

Online payments (e.g., e-commerce transactions, bank transfers)
Accessing a bank account online
Performing actions that could be high-risk (e.g., adding a new payee)

Are There Any Exemptions?#

Yes, certain low-risk transactions may be exempt, such as:

Recurring payments (e.g., subscriptions)
Low-value transactions (typically under €30)
Trusted beneficiaries (pre-approved by the user)

What Role Do Passkeys Play in SCA?#

Passkeys, based on WebAuthn and FIDO2, are an ideal SCA-compliant authentication method because:

They provide phishing-resistant authentication.
They eliminate the risks of stolen passwords and OTP interception.
They enable seamless multi-factor authentication by combining biometric authentication (something you are) with device-based security (something you have).

Conclusion#

SCA is a critical PSD2 security requirement that protects online transactions, reduces fraud, and enhances consumer trust. Passkeys offer a compliant, secure, and user-friendly alternative to traditional authentication methods, aligning with SCA’s security objectives.

Read the full article#

About Corbado

Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →