The EU Payment Services Directive (PSD2) will undoubtedly facilitate innovation, competition, and efficiency among banks and other payment institutions. While giving consumers additional choice over how they manage their money and transact online, PSD2 also calls for a heightened security standard for online payments, ensuring consumer protection. With digital fraud growing faster every year, the need for enhanced security protections has never been more relevant.

Under PSD2’s Regulatory Technical Standards (RTS), account and payment service providers must comply with increased security requirements when processing payments or providing account-related services. At the heart of the RTS is the need for Strong Customer Authentication, allowing consumers to be better protected when making transactions online.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is mandatory under PSD2, and article 4.1 requires that users be authenticated using at least two separate elements out of the following three authentication factors:

Knowledge: something they know (a password or PIN code)
Ownership: something they have (a card, a mobile phone)
Inherence: something they are (biometrics, e.g. fingerprint or iris scan).

RTS standards also require various cybersecurity mechanisms be in place in order to mitigate device exposure to risk and ensure secure transactions and payment authorisations.

Payment service providers need to support purchase and login scenarios that utilize SCA while at the same time minimizing the amount of friction incurred by their users, which can result in customer frustration and abandonment. Common forms of additional authentication use one-time passcodes sent through separate, “out-of-band” communication channels like SMS (text message) or email. While SMS and email are widely-used authentication methods, both are subpar user experiences that lead to friction. Likewise, SMS and email are insecure channels and can be compromised by malware, social engineering, “man-in-the-middle” attacks, and other techniques used by fraudsters.

Best-in-class multifactor authentication methods are transparent to the end customer and allow good consumers to transact with the least amount of friction possible, while at the same time are secure communication channels.

The InAuth Solution: InAuthenticate®


Delivered as an SDK, InAuthenticate is a secure two-factor authentication solution built into an organization’s mobile app. It provides a secure means of delivering 2-way, contextual messages to a registered, trusted device through a financial institution’s branded mobile app.

In the context of PSD2, when payment services providers require strong customer authentication for a browser transaction, InAuthenticate pushes to the customer’s registered, trusted mobile device a contextual message with details about the specific transaction. The customer opens and approves or declines the transaction within their bank mobile app. The in-app message can only be received by the intended device, and there is no risk of the message being intercepted, replayed, spoofed, or altered.


InAuthenticate Technology

InAuthenticate can be used by both payment services providers as well as aggregators when there is a requirement for Strong Customer Authentication.

InAuthenticate is the tool needed to help achieve Strong Customer Authentication for PSD2 while mitigating against security threats. InAuthenticate’s ability to utilize the device as a second factor of authentication and securely push contextual authentication messages to registered, trusted devices, allowing account and payment service providers to meet many of the challenges of PSD2.

Find out more

Whitepaper: PSD2 – Banking on the Customer to Make Open Banking a Success

Compliance can be a burden, no doubt about it. With ever-increasing regulation, banks need to ensure the agenda set by regulators will not be lost in a mere compliance exercise, but will concurrently enable customers to enjoy the flexibility, simplicity, and security they both need and demand. This InAuth Whitepaper elaborates on the criteria of […]

Use Case: Delivering Strong Customer Authentication to support PSD2 Compliance

InAuthenticate® is the tool needed to help achieve Strong Customer Authentication for PSD2 while mitigating against security threats. InAuthenticate’s ability to utilize the device as a second factor of authentication and securely push contextual authentication messages to registered, trusted devices allows account and payment service providers to meet many of the challenges of PSD2.