If the card Issuer decides that passive authentication is not sufficient, the authentication flow transitions seamlessly to a challenge flow and the
cardholder must actively authenticate themselves. A common example would be a European transaction that is eligible for SCA under the PSD2
regulations and is not subject to a valid SCA exemption.
The details of the challenge required of the cardholder will be determined by their Issuer bank and could take the form of a One-Time Passcode
(possession), Security Question (knowledge) or Fingerprint (inherence) scan.
The range of authentication options that an Issuer can make available, and the move away from static passwords will help combat drop-off while
increasing security and user confidence.
through an Issuer’s banking
application to facilitate
biometrics such as fingerprint
scanning, facial recognition or
A one-time passcode is sent
by the Issuer to the customer's
registered mobile number and
is entered by the customer to
Customers verify transactions
by answering knowledge-based
questions provided by the