Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Disclose name of institution / entity:
Type of submitter:
Subject Matter:
Length of authentication codes

Is a 3 decimal-digit authentication code, which (1) is unique per each transaction and (2) complies with the other security requirements set out in Article 4 RTS, compliant with the RTS?

Background on the question:

The RTS do not specify which length and entropy requirements apply to authentication codes resulting from the use of the authentication factors. The RTS entropy and key length requirements apply only to the authentication factors (Recital 6 RTS). There is no equivalent express requirement for authentication codes.

We believe that a 3 decimal-digit authentication code that (1) is unique for each transaction and (2) complies with the other security requirements set out in Article 4 RTS is sufficiently secure.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 4(2) of the Commission Delegated Regulation (EU) 2018/389 states that no information on any of the two elements necessary for strong customer authentication can be derived from the disclosure of the authentication code; that no new authentication code should be generated based on the knowledge of any other authentication code previously generated and that such code cannot be forged. Article 4(3) and 4(4) of the Delegated Regulation provides further requirements on authentication codes. Recital 4 of the Delegated Regulation states that “authentication codes should be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled”. The Delegated Regulation does not specify the length for the authentication code. Accordingly, a three decimal-digit authentication code could be valid, providing that it complies with the requirements under the Delegated Regulation and in particular, that it is resistant against the risk of being forged in its entirety or by disclosure of any of the elements from which the code was generated.

Further, given that ‘the authentication code shall be only accepted once’ as stated in Article 4(1) phrase 2 of the Delegated Regulation meaning a 3-decimal digit authentication code would only give 1000 combinations, and since Article 4(3)(b) of the Delegated Regulation specifies the maximum of 5 failed authentication attempts, there is a higher probability of guessing the value of the authentication code.
Final Q&A