3 min read

EBA On Customer Authentication Under PSD2: Possession & Knowledge

EBA On Customer Authentication Under PSD2: Possession & Knowledge

Financial institutions and solution providers are busy implementing the requirements of Strong Customer Authentication (SCA) under the Revised Payment Services Directive (PSD2) and the Regulatory Technical Standards (RTS).

However, as with any new regulatory directive, there has been a certain amount of ambiguity as to what elements comply fully with the SCA constraints and what elements fall short. To remedy this, the European Banking Authority has been issuing its opinions on the technical requirements related to eIDAS, SCA and so on.

The latest such opinion was published in June 2019 which provides valuable insights into what elements the EBA considers to be compliant with SCA requirements. In Part 1 of our series, we analysed EBA’s opinion on the elements under the category of inherence. Today, we look at possession and knowledge. 


PSD2 defines possession as “something only the user possesses”. Possession does not need to be physical but may also be digital. The essential condition is that unauthorised access or replication of that element must be prevented with adequate safeguards.

Devices can be used as proof of possession as per the EBA provided that there exists a “reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”. An example of this are the one-time passwords (OTP) that are received as SMS’s or through push notifications etc. An app or browser than can ensure a unique connection with a user’s device is also a compliant possession element. This may be done through hardware crypto-security, device registration or other such means. Other examples of valid possession elements include digital signatures or quick response codes that may be scanned by a device.

The accompanying table lists some of the observations made by the EBA in this regard.

Non-Exhaustive list of possible possession elements

Source: European Banking Authority


PSD2 defines knowledge as “something only the user knows”. It’s not surprising, therefore, that the main requirement for this element under SCA is that it must not be uncovered by or disclosed to unauthorised parties. This includes the more traditional elements like passwords, PINs, swipe patterns, responses to challenge questions and so on. Non secret details like user IDs or email addresses do not qualify though.

This category is actually pretty straightforward although the treatment of cards and their attributes is interesting. Card details and the security code shall not be a valid knowledge element as per the EBA. Some cards now come with dynamic security codes and those may be considered valid possession elements but not valid knowledge elements. However, if the card security code is not printed on the card and was sent separately to the user, it shall be a valid knowledge element as it not much different from a PIN in that sense.

Non-exhaustive list of possible knowledge elements

Source: European Banking Authority

The big picture 

SCA requires at least two elements from any two of these three categories at a minimum. However, it is crucial for those elements to be independent to each other. Which means that breach of one element, cannot possibly compromise the other. Lastly, remote transactions also require dynamic linking so that any elements generated for one transaction cannot be used for another. 


Download white paper

References and Further Reading