Skip to main content
Skip table of contents

Supported Authentication Methods

General information

XS2A interface offers embedded and decoupled SCA approaches with a selection of SCA methods as mechanisms of payments and consent authorisation.

Within the embedded approach, the communication between PSU and ASPSP is done through XS2A and TPP interfaces where

  • ASPSP validates PSU credentials and the 2nd factor;

  • XS2A provides TPP with authorisation instructions and error information;

  • TPP provides PSU with authorisation instructions and error information.

The step when PSU receives the 2nd factor from ASPSP is handled directly between PSU and ASPSP - outside the embedded SCA flow.

Within the decoupled approach, the communication between PSU and ASPSP is done through XS2A and TPP interfaces where

  • ASPSP validates PSU credentials and the 2nd factor;

  • XS2A provides TPP with authorisation instructions and error information;

  • TPP provides PSU with authorisation instructions and error information.

The steps when PSU receives the 2nd factor from ASPSP and provides it back to ASPSP for validation are handled directly between PSU and ASPSP - outside the decoupled SCA flow.

Flow diagrams

The diagrams below give a high-level overview of the embedded SCA message flow during payments and consent authorisation.

Consent creation and authorisation

More details about consent authorisation are available at Creation and Authorisation of an AIS Consent in Steps

Payment initiation and authorisation

More details about payment authorisation are available at Initiation and Authorisation of a Payment in Steps

Supported SCA methods

Currently, supported SCA methods

  • CHIP_OTP - triggers embedded SCA

  • SMS_OTP - triggers embedded SCA

  • PUSH_OTP - triggers decoupled SCA

More information about SCA methods can be found in Sandbox Test Accounts and Test Data

 Format for ChipTAN

If a Bank supports ChipTAN, a possible flicker image is provided in the fields image or imageLink.
For manual data entry, the Bank can return a structure in the data field.

As a rule, the information about the manual flicker is Base64-encoded and should correspond to the following structure:

JSON 
{
  "startCode": "12233",
  "infoMessage": "Payment 100 € and account DE12345",
  "manualMessage": "Please press F and enter the start code",
  "flicker": "77819192836"
}

However, this is only a recommendation to the bank. Therefore, please check the Bank's PSD2 information page to see whether further or different information has been documented there.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close