How PSD3 will impact multi-factor authentication in banking apps

The way your customers authenticate payments is about to change. PSD3, which is expected to be finalised in 2025 and likely come into force early 2026 with implementation expected in 2027, will reshape how European banks approach multi-factor authentication in their banking apps.

What is the difference between PSD2 and PSD3 in terms of authentication?

Unlike PSD2, which primarily focused on preventing fraud, PSD3 takes a more comprehensive approach. It addresses user accessibility, expands rules around liability and gives banks more flexibility in how they authenticate customers.

But this flexibility brings new challenges. For example, your bank will need to support customers who can’t use smartphones, take on greater liability for fraud losses and implement authentication methods that work for everyone.

In this article, we’ll look at how these changes will affect your bank, what new opportunities they create and how to prepare.

Key points:

  • PSD3 will allow banks to use more flexible authentication methods but also require that customers without smartphones are supported
  • Banks will become liable for more types of fraud, including when customers are tricked into authorising payments, making strong authentication crucial for protecting your revenue
  • G+D Netcetera will help DACH banks implement PSD3-compliant authentication solutions that balance security, accessibility and customer experience

pfaarticlenew

What are PSD3’s multi-factor authentication (MFA) requirements?

PSD3 introduces several important changes to how your bank will need to handle customer authentication. The biggest change will be allowing two authentication factors from the same category.

  • PSD2 requires two authentication types from different categories
  • PSD3 will allow two authentication types from the same category

These are the categories of MFA:

  • Knowledge: Something only the user knows (password, PIN, security question)
  • Possession: Something only the user has (smart device, card reader, hardware token)
  • Inherence: Something the user is (biometrics: fingerprint, face recognition, voice recognition)

With PSD2, you could combine a password (knowledge) with a fingerprint scan (inherence). But with PSD3, you could use two knowledge factors like a password and a PIN, or two biometric methods like fingerprint and face recognition.

Accessibility support

PSD3 also required banks to provide comprehensive accessibility support. This means authentication methods will need to work for customers with cognitive, visual or motor impairments. So banks will need to make sure that their banking apps are designed and use authentication methods in such a way that’s accessible for everyone.

Fraud regulations

The new rules also expand what counts as fraud. With PSD3, banks will be liable for social engineering attacks and authorised push payment (APP) fraud where they should have identified suspicious activity. Given that APP fraud losses in the DACH region reached €12.44 billion in 2023, the shift in liability could have a major impact on your bottom line.

How will PSD3 impact MFA in banking apps?

When PSD3 is introduced, the login process within your banking app will need to be more flexible, accessible and inclusive. Instead of just relying on smartphone-based authentication methods, your app will have to detect the user’s specific device capabilities and offer suitable, accessible alternatives.

Accessibility and alternative login methods

For people using older phones or assistive technology (e.g. screen readers or voice assistants), your app might need to provide options like voice-based authentication or simplified, high-contrast visual interfaces. And for those without smartphones at all, you’ll need to think about other ways they can log in, like through phone calls (interactive voice response or human operator) or secure codes sent by SMS.

Technical challenges for banks

This may create some new technical challenges. For example, your backend systems will need to manage all these different login methods while keeping everything secure. And you’ll have to work with new digital identity frameworks like eIDAS2, which will further standardise and potentially streamline authentication across the EU.

What is the PSD3 compliance deadline?

Once PSD3 is finalised, you’ll have 18 months to implement the changes. With the regulation expected to be finalised in 2025, the expected deadline to comply with the new directive will likely fall in late 2027. The exact timings will depend on each country’s legislative process ( some may move faster or slower), so it’s important to keep an eye on local transposition deadlines.

Starting your bank’s preparation now will help you avoid the last-minute scrambles that plagued many banks during PSD2 implementation.

How could improving MFA benefit your bank?

Across Europe, around 26% of Strong Customer Authentication (SCA) attempts fail. Mobile apps perform even worse - just 37% of authentication challenges succeed, compared to 78% for browser-based transactions.

Fewer authentication failures mean higher revenue

These failure rates could directly impact your bank’s revenue. When customers can’t complete transactions, what do they do? They don’t just abandon that particular purchase, but they often switch to competitors with a more reliable authentication process.

Improved customer experienced

Because PSD3 has expanded the ways customers can authenticate themselves, this should lead to a better customer experience. Out-of-Band (OOB) authentication (where authentication is carried out through a separate channel or device) removes the risks associated with passwords while providing the robust two-factor security that regulations require. And there's a clear business benefit: banks that use these methods report reduced support calls and higher customer satisfaction scores.

mfaarticle

Forward-thinking banks will see adapting to PSD3 as an opportunity, investing in better authentication systems. With your bank now responsible for more types of fraud, the cost of not implementing proper authentication could surpass the cost of implementing new solutions.

Those who get this right could gain a valuable competitive advantage while others struggle to meet compliance and fraud requirements.

How can you overcome the implementation challenges?

The biggest tech hurdle most banks will face is making sure the authentication process works for every customer. With PSD2, it was possible to primarily focus on smartphone-based solutions for most users. But with PSD3’s new accessibility rules, you can’t simply rely on customers having a smartphone - in Austria just 46% of people over 65 own a smartphone.

The good news is that several modern authentication methods offer ways to tackle this. For example, voice recognition can be a great help for customers with visual impairments, and simplified interfaces can support people who aren’t very confident using digital technology. The solution is to provide a range of authentication options that all meet PSD3’s security standards so that the user can choose the methods that work best for their abilities and circumstances.

Passkeys as a future-proof authentication solution

One promising option is passkeys, which use FIDO2/WebAuthn standards to provide phishing-resistant authentication. This includes Apple's Face ID and Touch ID, and Android’s biometric authentication systems. Unlike traditional passwords, passkeys create unique cryptographic keys for each service and can sync across devices through Apple’s iCloud Keychain or Google’s Password Manager. They offer strong protection against phishing and work across many different devices and platforms. Neobanks like Revolut have already started using passkeys successfully, showing that it’s possible to have both robust security and a smooth user experience.

Integration of modern solutions in legacy systems

When it comes to integrating new authentication methods with your current systems, you’ll need to plan carefully. Many banks run on older technology and need to update their systems gradually. Third-party solutions like G+D Netcetera’s Digital Identity solution are built to accommodate existing infrastructure constraints while still providing modern security features. So if your bank has legacy systems, you can still meet PSD3 requirements without having to overhaul your entire tech setup.

 

Want to learn how G+D Netcetera can help your bank implement PSD3-compliant authentication solutions? Get in touch with our experts.

More stories

On this topic