Skip to content

Two-factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to digital transactions. Its use is legally required in the EU for digital payments above €50. It also plays an important role in eIDAS, for the future European Digital Identity Wallet (EUDI Wallet).

What is two-factor authentication?

2FA is also known as ‘two-step security’ and uses two different and personal factors to securely approve something digitally. It is used for logging in and digitally approving transactions, such as payments. In the EU, the use of 2FA is legally required for many digital payments, based on the Revised Payment Services Directive (PSD2). 2FA protects digital payments against fraud.

Two-step verification is a form of Strong Customer Authentication (SCA). A user must provide two of three different types of factors digitally in order to log in or approve something digitally, such as a payment:

  1. Something that only this user knows – a fingerprint or facial recognition;
  2. Something only this user knows – such as a secret number or letter code;
  3. Something only this user possesses – such as a debit card, smartphone, or smartwatch;

Why is 2FA important?

2FA provides an extra layer of protection against certain types of fraud. For banks, payment services, and governments, this strong customer authentication is essential for securely and reliably recognizing customers digitally.

Not only under PSD2, but also under the eIDAS Regulation for digital identification services, 2FA is a legal requirement, for example for the future EUDI Wallet (EU Digital Identity). Strong customer authentication with 2FA is then required when providing personal data or a digital signature with an EUDI Wallet.

2FA in practice

Recognizable examples of two-step security are:

  • Paying €100 with a debit card (personal property) and a secret PIN code (personal number code);
  • Logging into a mobile banking app with fingerprint or facial recognition (personal characteristic) on a unique personal smartphone (personal property);
  • Logging into the tax authorities with five secret digits (personal numeric code) in the DigiD app on a personal smartphone (personal property);

Exceptions

SCA (with 2FA) is not always mandatory for payments. PSD2 mentions a few exceptions:

  • For low amounts: payments up to €50 are usually exempt from SCA, for a limited number of repetitions.
  • For recurring payments: SCA is only mandatory for the first payment.
  • For payments to a known party: the user can sometimes designate certain beneficiaries whom they trust and for whom SCA is not required.
  • For low risk: a payment service provider may disable SCA if it assesses the risk to be low; if something does go wrong, it will also be liable for the damage.

The payment service provider determines whether or not to apply SCA. That service provider remains responsible for compliance with PSD2, not the payer or recipient.

The role of the Dutch Payments Association

  • We monitor developments relating to PSD2, PSD3, PSR, eIDAS 2.0 and the EUDI Wallet and represent the interests of the Dutch payments sector in Brussels.
  • We respond to legislative consultations on behalf of our members and support our members in complying with laws and regulations for identification and authentication.