What is Two-Factor Authentication (2FA)? Definition

Two-factor authentication (2FA) is a security mechanism that requires the user to verify their identity with two independent elements before completing an operation. In the European payment ecosystem, it is known as SCA (Strong Customer Authentication) and is a mandatory requirement of the PSD2 Directive for electronic transactions.

Compared to simple password-based authentication, 2FA combines two of these three factors: something the user knows (PIN or password), something they have (mobile device or token), and something they are (fingerprint or facial recognition).

How two-factor authentication works in payments

When a cardholder initiates a payment in an e-commerce store, two-step verification is activated through the 3-D Secure (3DS) protocol:

• The buyer enters their card details at checkout.
• The payment gateway sends the request to the issuer through the card network.
• The issuer assesses the risk and, if applicable, launches the strong authentication challenge.
• The cardholder verifies their identity with a second factor: OTP code, facial biometrics, or fingerprint.
• After validation of both factors, the issuer authorizes the transaction.

Regulatory impact and applicable security of 2FA

The legal framework supporting 2FA in Europe is multi-level.

PSD2 (Directive (EU) 2015/2366) establishes in its Article 97 the obligation to apply SCA in electronic payments, account access, and operations with fraud risk. The EBA developed the technical standards (RTS) that define specific requirements and applicable exemptions.

PCI DSS v4.0 reinforces this requirement within the card industry. Its Requirement 8.4 mandates MFA implementation for all access to the CDE, and Requirement 8.5.1 requires that MFA systems are not susceptible to replay attacks.

There are SCA exemptions that merchants can leverage: low-value operations (under €30), Transaction Risk Analysis (TRA), and recurring payments (MIT) when the amount does not vary.

Operational advantages and disadvantages of 2FA

Advantages:

• Fraud reduction: Authentication with 3DS shifts the liability to the issuer in case of a fraudulent chargeback, protecting the merchant's treasury.
• Better approval rate: Issuers trust authenticated transactions more. Sending rich data (address, email, device) along with 2FA increases approval rates.
• Conversion-security balance: Smart SCA allows exempting low-risk operations and activating verification only when the profile requires it.

Disadvantages:

• Checkout friction: Every additional step can trigger cart abandonment, especially on mobile devices with poorly optimized flows.
• Issuer dependence: The 3DS challenge experience depends on the issuing bank. If their interface is slow, the abandonment rate grows without the merchant being able to intervene.
• Technical complexity: Managing exemptions and adaptive 3DS flows requires advanced integration with the payment gateway.

Merchant-Initiated Transactions (MIT) are exempt from 2FA after the first authenticated transaction (CIT), provided the amount and the beneficiary remain constant. This eliminates friction in subscription models.