Strong Customer Authentication – what is it for and how does it work?

Banks as well as all other payment service providers must use “two factor authentication” for payment transactions with effect from 14.09.2019 due to an EU-wide regulation. This means that

  • prior to performing your online credit transfer,
  • when logging into your payment account, or
  • when paying by card in a shop

you must verify your identity by means of two factors.

In a first step, 3 legal categories must be differentiated between:

  • Knowledge: in this case the bank may ask you something that only you know, e.g.
    • an answer to a security question;
    • a password or a numerical combination.
  • Possession: in this case an object is used that you possess, e.g.
    • Your debit card (“Bankomatkarte”), which is read by a card reader;
    • A TAN code may be sent to your mobile phone, and entering that TAN code verifies that you possess the mobile phone;
    • You can install an app on your mobile phone, via which access may be approved or authorised, and a technical process in the background (known as “device binding”) verifies your possession of the app or the mobile telephone.
  • Inherence: your identify is checked on the basis of unique personal characteristics, e.g.
    • fingerprint;
    • facial recognition.

Thereafter the payment service provider selects two factors from the categories listed. Which factor are specifically chosen, is left up to the payment service provider to decide, the only condition being that the factors are from two different categories. The purpose of this rule is to minimise fraud and also to further increase the security of payment transactions.


  • It is possible to access an online account using an application (app), which has been installed on a mobile telephone that has been registered with the bank (possession), in connection with which a fingerprint (inherence) is used.
  • It may also be possible to access an account online using a user identification number and a password (knowledge) and entering a code which has been sent to a mobile phone (possession).
  • It is also possible to access an online account by reading your debit card using a separate card reader (= possession) in combination with a PIN code (= knowledge) on any PC/Mac that you have access to, as well as by mobile telephone. This variant functions independently of mobile phone reception and an application (app).

Other variants are also permissible, as long as two factors from two different categories are chosen. It remains at the bank’s discretion which factors and variants it chooses to use and offer. There are a lot of providers in the market that offer various different offers, and you in turn are free to choose the provider that suits about with the corresponding authentication procedure.

The Financial Market Authority’s task is to monitor whether your bank uses a two factor authentication process. The FMA is not however able to influence which variants your bank uses as well as how many different variants it offers. Further information about strong customer authentication can be found at: