PSD2: The Role of Authentication Codes in Strong Customer Authentication

June 8, 2022
Woman's hands typing on a laptop and holding a smart phone, brown and black color scheme

In a continuation of our article series on Strong Customer Authentication (SCA), we’ll be examining the requirements for generating a core component of SCA requirements: authentication codes.

In order for SCA requirements to be applied, a number of security measures have been laid out by the European Banking Authority. At the core of these measures are the generation of authentication codes, which play an important role within SCA-compliant transactions.

An entry in the Official Journal of the European Union includes the following description of authentication code requirements, referencing the PSD2 legislation, Article 97(1) of Directive (EU) 2015/2366:

“Where payment service providers apply strong customer authentication in accordance with Article 97(1) of Directive (EU) 2015/2366, the authentication shall be based on two or more elements which are categorised as knowledge, possession and inherence and shall result in the generation of an authentication code.”

— The Official Journal of the European Union —

The authentication factors mentioned above (knowledge, possession, and inherence) can also be thought of as what you know, what you have, and what you are. We previously wrote about the options for these authentication factors in detail – using these options, businesses select at least two independent authentication factors to add to their applications. The elements will then be used by customers, who provide the relevant information while carrying out transactions.

How Do Payment Service Providers Use Authentication Codes?

The journal entry mentioned above clearly lays out the conditions that must be met in order for payment service providers to accept authentication codes submitted by payers. First off, it’s necessary for payers to use authentication codes when accessing their online payment accounts, initiating electronic payment transactions, or carrying out any action through a remote channel which may potentially expose them to online fraud or other digital threats.

Additionally, there are some general rules for authentication codes that must be adhered to by payment service providers when accepting authentication codes. Put simply, the conditions are as follows:

  • The information within the authentication factors submitted by payers cannot be derived from the disclosure of the authentication code.
  • It’s not possible to generate a new authentication code based on the knowledge of any other authentication code generated previously.
  • The authentication code cannot be forged.

How Is the Security of Authentication Codes Regulated?

Even though SCA authentication codes are, by nature, designed to boost the security of payment transactions, it’s important to note that there are a few restrictions on their use. This further supports the secure use of these codes and makes it more difficult for them to be exploited. Here are a few of these restrictions:

  • In scenarios in which a code doesn’t adhere to the aforementioned rules, it must not be possible to identify which of the authentication factors submitted was incorrect (in other words, a breach of one of the authentication factors shouldn’t imply the breach of any of the other factors).
  • The number of failed authentication attempts that consecutively can take place cannot exceed five within a given period of time (in the case of more than five failed attempts, the payer will be temporarily or permanently blocked from their account).
  • After being authenticated for accessing one’s online payment account, the maximum time without payer activity must not exceed five minutes.
  • In the case that a payer is blocked from their account, the payer shall be alerted before a block is made permanent.
  • Where a block has been made permanent, a secure procedure shall be established allowing the payer to regain use of the electronic payment instruments that have been blocked.

When payment service providers ensure that their adoption of SCA authentication codes meets each of these criteria, they’re protecting both themselves and their customers. Hence, the proper implementation of authentication codes is a win-win for businesses and consumers alike.

In the next installment of our SCA series, we’ll be taking a look at dynamic linking. To stay in touch with us, subscribe to the Wultra newsletter and never miss a beat.

Related articles


get in touch

Consider partnering with Wultra to meet compliance standards, deliver a secure and seamless user experience, and deliver additional value to your customers while improving your bottom line.

Ondřej kupka
Picture of Account Executive Ondrej Kupka
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.