Question ID:
Legal Act:
Directive 2015/2366/EU (PSD2)
Strong customer authentication and common and secure communication (incl. access)
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:
Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
4 / 1
Disclose name of institution / entity:
Type of submitter:
Credit institution
Subject Matter:
Strong Authentication

Is one time passcode (OTP) Mail considered as a "Strong Customer Authentication" under Regulation (EU) 2018/389 – RTS on strong customer authentication and secure communication?

Background on the question:

Authentication by OTP mail reunites 2 authentication factors :

1. The one-time password received by mail, enrolled by the payer's bank

2. The password to access mails, only known by the payer.

OTP mail is convenient for expatriates that can not have access to the SMS. It aims at replacing authentication by birthday date which is not a valid authentication method regarding the RTS.

Date of submission:
Published as Final Q&A:
EBA Answer:

Article 4 (30) of Directive 2015/2366/EU (PSD2) defines possession as ‘something only the user possesses’.

Paragraph 26 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06), clarified that approaches relying on mobile apps, web browsers or the exchange of (public and private) keys may also be evidence of possession, provided that they include a device-binding process that ensures a unique connection between the payment service user’s app, browser or key and the device.

This means that apps or web browsers (i) where the email with the OTP is received by the payment service users and (ii) which have a unique connection with the device, could evidence possession and thus be considered as a valid factor in a two-factor strong customer authentication under PSD2 and the Commission Delegated Regulation (EU) 2018/389. This would, however, require the email address where the OTP is sent to, to be accessible only via a registered device.

Finally, it is for the payment service provider to ensure the unique connection between the device and the payment service user’s app or browser.

Final Q&A