---
url: 'https://www.corbado.com/faq/strong-customer-authentication-psd2'
title: 'What is Strong Customer Authentication (SCA) under PSD2?'
description: 'Strong Customer Authentication (SCA) is a PSD2 regulation requiring multi-factor authentication to secure online payments and reduce fraud.'
lang: 'en'
---

# What is Strong Customer Authentication (SCA) under PSD2?

## What is Strong Customer Authentication (SCA) under PSD2?

[Strong Customer Authentication](https://www.corbado.com/faq/sca-psd2-importance) (SCA) is a security requirement
introduced by **PSD2 (Revised Payment Services Directive)** to\
enhance the security of online [payments](https://www.corbado.com/passkeys-for-payment) and reduce fraud. SCA\
mandates that financial institutions and [payment](https://www.corbado.com/passkeys-for-payment) service\
providers implement **multi-factor authentication (MFA)** for electronic transactions,
ensuring that only legitimate users can access accounts and approve\
[payments](https://www.corbado.com/passkeys-for-payment).

### SCA Requirements

To comply with SCA, authentication must involve **at least two of the following three\
factors**:

1. **Knowledge** – Something the user knows (e.g., a password or PIN).
2. **Possession** – Something the user has (e.g., a smartphone, hardware token, or\
   [smart card](https://www.corbado.com/glossary/smart-card)).
3. **Inherence** – Something the user is (e.g., biometrics like fingerprints or facial\
   recognition).

### How SCA Works in Online Payments

SCA applies to most **electronic payments within the European Economic Area (EEA)**. For\
example:

- A customer logging into an online [banking](https://www.corbado.com/passkeys-for-banking) account may need to\
  provide both a **password (knowledge)** and confirm the login via a **mobile push\
  notification (possession)**.
- A user making an online [payment](https://www.corbado.com/passkeys-for-payment) may be required to
  authenticate\
  using **biometrics (inherence)** and approve the [payment](https://www.corbado.com/passkeys-for-payment)\
  through their **banking app (possession)**.

### Exemptions to SCA

Certain transactions may be exempt from SCA, such as:

- Low-value transactions (below €30).
- Recurring [payments](https://www.corbado.com/passkeys-for-payment) (e.g., subscriptions).
- Transactions deemed **low-risk** based on fraud analysis.

### SCA and Passkeys

Traditional authentication methods like passwords and SMS OTPs are still widely used but\
are vulnerable to **phishing attacks**. **Passkeys**, based on WebAuthn and\
[FIDO2](https://www.corbado.com/glossary/fido2), offer a **phishing-resistant** alternative by leveraging\
cryptographic authentication and device-bound credentials. Banks and fintech companies\
implementing passkeys can meet **SCA requirements while improving both security and user\
experience**.

Passkeys enable strong authentication [PSD2](https://www.corbado.com/blog/psd2-passkeys) compliance by leveraging
cryptographic key pairs and device-bound credentials for seamless,
[phishing](https://www.corbado.com/glossary/phishing)-resistant logins.

By enforcing **Strong Customer Authentication (SCA)**, **PSD2 enhances transaction\
security, reducing fraud risks and increasing trust in digital banking and online\
payments**.

## Read the full article