Strong Customer Authentication

The PSD2 requires a strong customer authentication for all interactions with a customer's bank. This means that two out of the following three factors have to be used for authentication:

  • Possession
  • Inherence (Identity)
  • Knowledge

An authenticated customer can authorize interactions triggered through the finX API, like e.g. a synchronization of account and transaction data or the submission of a payment.

The following sections describe the challenge types supported by the finX API.

Decoupled challenges

In this case, the process of strong customer authentication is to be carried out with a device or app that is provided by the financial service provider.

Redirect challenges

In case of a redirect challenge, the authentication is performed at the authentication server of the financial service provider. The customer's user agent has to be redirected to the URI given in the challenge.

Embedded challenges

In this case, the authentication process is embedded into the user interface on the side of the TPP. The following different formats of challenges are available

TEXTAn instructional text from the service provider describing further steps.
HTMLSimilar to TEXT but with additional markup.
HHDThe data encodes an animated image processable by the user's TAN generator. Please contact us in case you would like to provide native support for this in your application.
PHOTOAn image which should be shown to the user. The image is encoded following RFC 2397


An end-user might have multiple SCA methods available to him. In this case, an SCA method has to be selected.

SCA medium selection

For the embedded and decoupled SCA methods, it is possible that the user has registered multiple media (device or app) for a single method. In this case, the financial service provider will ask for a specific medium to be selected. E.g. a user can register multiple mobile phones to be used with the embedded SMS_OTP authentication method.

Note on Access Methods of type COMBINED

Please be aware that access methods of the type COMBINED (currently only supported for select Spanish banks) bring along a unique behavior that requires the user to solve multiple SCA challenges which you will need to handle accordingly in your application.

As the credentials are being used to create both a consent for accounts served by PSD2 APIs and other accounts only accessible through screen scraping, two independent logins take place. In that case two SCA challenges will be presented - one for the API access and one for the login into the online banking.