Is a 3 decimal-digit authentication code, which (1) is unique per each transaction and (2) complies with the other security requirements set out in Article 4 RTS, compliant with the RTS?

The RTS do not specify which length and entropy requirements apply to authentication codes resulting from the use of the authentication factors. The RTS entropy and key length requirements apply only to the authentication factors (Recital 6 RTS). There is no equivalent express requirement for authentication codes.

We believe that a 3 decimal-digit authentication code that (1) is unique for each transaction and (2) complies with the other security requirements set out in Article 4 RTS is sufficiently secure.

Article 4(2) of the Commission Delegated Regulation (EU) 2018/389 states that no information on any of the two elements necessary for strong customer authentication can be derived from the disclosure of the authentication code; that no new authentication code should be generated based on the knowledge of any other authentication code previously generated and that such code cannot be forged. Article 4(3) and 4(4) of the Delegated Regulation provides further requirements on authentication codes. Recital 4 of the Delegated Regulation states that “authentication codes should be based on solutions such as generating and validating one-time passwords, digital signatures or other cryptographically underpinned validity assertions using keys or cryptographic material stored in the authentication elements, as long as the security requirements are fulfilled”. The Delegated Regulation does not specify the length for the authentication code. Accordingly, a three decimal-digit authentication code could be valid, providing that it complies with the requirements under the Delegated Regulation and in particular, that it is resistant against the risk of being forged in its entirety or by disclosure of any of the elements from which the code was generated.