What is Strong Customer Authentication (SCA) under PSD2?
Strong Customer Authentication (SCA) is a PSD2 regulation requiring multi-factor authentication to secure online payments and reduce fraud.
What is Strong Customer Authentication (SCA) under PSD2?#
Strong Customer Authentication (SCA) is a security requirement
introduced by PSD2 (Revised Payment Services Directive) to
enhance the security of online payments and reduce fraud. SCA
mandates that financial institutions and payment service
providers implement multi-factor authentication (MFA) for electronic transactions,
ensuring that only legitimate users can access accounts and approve
payments.
SCA Requirements#
To comply with SCA, authentication must involve at least two of the following three
factors:
- Knowledge – Something the user knows (e.g., a password or PIN).
- Possession – Something the user has (e.g., a smartphone, hardware token, or
smart card). - Inherence – Something the user is (e.g., biometrics like fingerprints or facial
recognition).
How SCA Works in Online Payments#
SCA applies to most electronic payments within the European Economic Area (EEA). For
example:
- A customer logging into an online banking account may need to
provide both a password (knowledge) and confirm the login via a mobile push
notification (possession). - A user making an online payment may be required to
authenticate
using biometrics (inherence) and approve the payment
through their banking app (possession).
Exemptions to SCA#
Certain transactions may be exempt from SCA, such as:
- Low-value transactions (below €30).
- Recurring payments (e.g., subscriptions).
- Transactions deemed low-risk based on fraud analysis.
SCA and Passkeys#
Traditional authentication methods like passwords and SMS OTPs are still widely used but
are vulnerable to phishing attacks. Passkeys, based on WebAuthn and
FIDO2, offer a phishing-resistant alternative by leveraging
cryptographic authentication and device-bound credentials. Banks and fintech companies
implementing passkeys can meet SCA requirements while improving both security and user
experience.
Passkeys enable strong authentication PSD2 compliance by leveraging cryptographic key pairs and device-bound credentials for seamless, phishing-resistant logins.
By enforcing Strong Customer Authentication (SCA), PSD2 enhances transaction
security, reducing fraud risks and increasing trust in digital banking and online
payments.
Read the full article#
About Corbado
Corbado is the Passkey Intelligence Platform for CIAM teams running consumer authentication at scale. We help you see what IDP logs and generic analytics tools can't: which devices, OS versions, browsers and credential managers support passkeys, why enrollments don't turn into logins, where the WebAuthn flow fails and when an OS / browser update silently breaks login, all without replacing Okta, Auth0, Ping, Cognito or your in-house IDP. Two products: Corbado Observe layers observability for passkeys and any other login method. Corbado Connect adds managed passkeys with analytics built in (alongside your IDP). VicRoads runs passkeys for 5M+ users with Corbado (+80% passkey activation). Talk to a Passkey Expert →
Share this article
Table of Contents
