How Does the EBA Single Rulebook Q&A Clarify Ambiguities in SCA?#
The European Banking Authority (EBA) Single Rulebook Q&A serves as an official
reference to resolve ambiguities in the interpretation and implementation of PSD2’s
Strong Customer Authentication (SCA) requirements. It provides clarifications for
financial institutions, payment service providers, and regulators on how to correctly
apply Regulatory Technical Standards (RTS) for SCA.
Key Areas Where the EBA Single Rulebook Clarifies SCA Requirements#
1. Defining Multi-Factor Authentication (MFA) Under PSD2#
- The Q&A specifies that authentication factors must be independent and meet high
security standards.
- Clarification: Passkeys, which combine biometrics (something you are) and a
hardware-based credential (something you have), are explicitly recognized as compliant
with SCA.
2. Exemptions and Low-Risk Transactions#
- The RTS outlines specific exemptions where SCA is not required, but some scenarios
remained unclear.
- Clarification: The EBA has provided detailed guidance on how Transaction Risk
Analysis (TRA) can be applied for low-risk payments.
- Example: Recurring payments and trusted beneficiaries may
be exempt from SCA if they meet defined risk thresholds.
3. Dynamic Linking Requirements for Payments#
- PSD2 mandates dynamic linking, ensuring that authentication
is tied to the transaction details.
- Clarification: The Q&A confirms that cryptographic signatures must link the
transaction amount and recipient details to the authentication process.
- Best Practice: Passkeys meet this requirement because they sign each transaction
securely using WebAuthn cryptographic methods.
4. Use of Biometrics and Device-Bound Credentials#
- The EBA has addressed questions about whether biometric authentication alone satisfies
SCA.
- Clarification: Biometrics must be combined with another authentication factor
(e.g., a secure passkey) to be SCA-compliant.
- Passkeys inherently meet this requirement when using platform authenticators (Face
ID, Windows Hello, etc.).
5. Cross-Border and Interoperability Concerns#
- Many financial institutions raised concerns about how SCA should work across different
EU member states.
- Clarification: The EBA has specified that SCA must be applied uniformly across the
EU, ensuring consistent security regardless of where a payment is initiated.
How Do Passkeys Align With EBA Guidance?#
- Phishing resistance: Passkeys provide a secure alternative to passwords and
OTPs, aligning with EBA’s recommendations for strong authentication.
- Hardware security: Stored in Secure Enclave (Apple), TPM (Windows), or TEE
(Android), passkeys meet RTS security requirements.
- Dynamic linking: Passkeys cryptographically sign transaction details, ensuring
compliance with EBA-mandated security measures.
Conclusion#
The EBA Single Rulebook Q&A clarifies PSD2’s SCA
requirements, ensuring that financial institutions correctly interpret regulatory
standards. Passkeys align with EBA’s clarifications, offering a compliant, secure,
and user-friendly authentication method that satisfies multi-factor authentication,
dynamic linking, and phishing resistance.
Read the full article#

Add passkeys to your app in <1 hour with our UI components, SDKs & guides.
Start for free