What is SCA?

Strong Customer Authentication (SCA) requires multi-factor authentication for payments and account access. It's mandated by PSD2 in Europe, the Reserve Bank of India, Brazil's Central Bank, and increasingly across Asia-Pacific and Latin America. Beyond these regulations, it's the de facto standard for secure payment authentication globally.

The requirement: authenticate using two or more independent factors—something you know (password), something you have (device), or something you are (biometric). For payments, authentication must be bound to the specific transaction amount and recipient, preventing attackers from changing details after authorization.

Common Approaches

Most implementations use SMS codes, in-app push notifications, or 3D Secure. SMS codes are vulnerable to SIM swaps and can't be tied to transaction details. Push notifications require context-switching between apps. 3D Secure redirects users to their bank's page, killing 10-30% of checkout conversions. Hardware tokens are expensive and frustrating.

Proper compliance requires device-based cryptography: private keys in secure hardware (TEE or Secure Element) that never leave the device. Users unlock the key with their biometric to sign requests. The WebAuthn/FIDO2 passkey standard is the gold standard because:

• The browser/OS enforces that keys are generated in and never leave the platform authenticator
• Credentials are cryptographically bound to the origin (preventing cross-domain phishing)
• Attestation proves the key is in genuine hardware rather than software emulation

Rolling your own client-side crypto lacks these platform-level guarantees.

What It Means For You

FIDO2 implementation is complex. Client SDKs must handle platform-specific secure storage across iOS Keychain, Android Keystore, and Web Crypto API. Server infrastructure must store public keys, generate challenges, validate signatures with correct parameters, and handle key rotation when users change devices.