Strong Customer Authentication (SCA)

PSD2 compliant Strong Customer Authentication (SCA) for e-money and e-money tokens

As a licensed Institution, we are legally required to enforce SCA on e-money (EUR) and e-money token (USDC) transactions. Further, with the API model, in order to keep your application out of CASP licensing scope in the EEA, 2FA confirmation from the end user for transactional activity (namely trades, inter/intra and withdrawals of crypto assets) is required.

We implement SCA with three factors - SMS, TOTP (authenticator app), and passkey (WebAuthn) - and two carve-outs that lower the operational cost without breaking PSD2 conformance: a 180-day session that covers reads and a Trusted Beneficiary mark that lets recurring payouts skip the per-debit Dynamic Linking ceremony.

Login management

πŸ“˜

To keep the burden of SCA as minimal as possible without breaking existing user experiences, Striga (LSPEU) will outsource the management of user login/logout & session management to your application. This will be a stringent part of the go-live review to ensure that your application is managing user sessions appropriately. This way, a single SCA session will introduce the most minimal set of changes to your UX, i.e. either authenticating with TOTP/SMS/Passkey effectively twice a year (i.e. every 180 days) keeps your UX simple without the requirement of Striga (LSPEU) having to manage password/login sessions.

What SCA covers

OperationGated?Notes
EUR / USDC debit (SEPA, swap, onchain, intra-ledger)YesPer-operation challenge with Dynamic Linking.
BTC / ETH / Lightning onchain debitPartiallyChallenge required; Dynamic Linking does not apply (currency not classified as FIAT/EMT).
Reading an EUR / USDC account balanceYesRequires an active 180-day session; no per-call challenge.
Reading account history older than 90 daysYesFresh SCA event required (sub-window of the 180-day session).
Standing order setup or cancelYesSCA at setup; no per-execution challenge.
Trust / untrust a beneficiaryYesPer-operation challenge; choice of any allowed factor.
LoginYesUnified across factors via /user/login/start + /user/login/complete.
Reading a non-EUR/USDC account, KYC, profile updatesNoNo SCA gate.

Per Workflow Mapping

This table is the authoritative compliance reference for which authentication tier and which second factor is required for every account action on the Striga (LSP EU) platform.

Legend

Symbol / termMeaning
SCAStrong Customer Authentication. PSD2-compliant two-factor authentication with all the structural requirements (independence, dynamic linking where applicable). Required for EUR/USDC ("payment account") operations.
2FATwo-factor authentication. Lighter contract - no PSD2 dynamic-linking, no 180-day session model. Applies to non-payment-account operations (other crypto-assets).
2Γ—SCATwo independent SCA ceremonies, using two different second factors where possible. If only SMS OTP is enrolled, two separate SMS OTPs are acceptable.
βœ“Second factor is permitted for this action.
βœ—Second factor is not permitted for this action (typically because it cannot carry the Dynamic Linking payload).
β€”Not applicable. Either the action is out of scope for SCA (other crypto-assets) or the field doesn't apply.
Dynamic linkingPSD2 Art. 97(2) requirement that the authentication code is cryptographically bound to the transaction amount and payee. Only SMS OTP and Passkey can carry this binding; TOTP cannot, which is why it is βœ— on dynamic-linked operations.

Mapping

Account management

ActionGateSMS OTPTOTPPasskeyDynamic linkingNotes
Access EUR or USDC accountSCAβœ“βœ“βœ“No180-day SCA exemption after the first/previous SCA event, limited to viewing the last 90 days of transaction history. Viewing history beyond 90 days requires a fresh SCA event.
Create new EUR or USDC accountSCAβœ“βœ“βœ“No
Access other crypto-asset accountβ€”β€”β€”β€”β€”Not subject to SCA. Partner password is the minimum standard.
Create new crypto-asset accountβ€”β€”β€”β€”β€”Not subject to SCA.

Trusted Beneficiary list

ActionGateSMS OTPTOTPPasskeyDynamic linking
Whitelist (trust) EUR or USDC beneficiarySCAβœ“βœ“βœ“No
De-whitelist (untrust) EUR or USDC beneficiarySCAβœ“βœ“βœ“No

Send

ActionGateSMS OTPTOTPPasskeyDynamic linkingNotes
Send EUR or USDC - beneficiary not whitelistedSCAβœ“βœ—βœ“YesSMS OTP by default. Passkey requires a separate agreement with LSP EU. TOTP cannot be used (no Dynamic Linking payload).
Send EUR or USDC - beneficiary whitelisted2FAβœ“βœ“βœ“β€”2FA may be removed in the future once active-session monitoring is in place.
Send other crypto-asset2FAβœ“βœ“βœ“β€”

Convert

ActionGateSMS OTPTOTPPasskeyDynamic linkingNotes
Convert from EUR or USDCSCAβœ“βœ—βœ“YesSMS OTP by default. Passkey requires a separate agreement with LSP EU. TOTP cannot be used. (see below)
Convert from other crypto-asset2FAβœ“βœ“βœ“β€”2FA may be removed in the future once active-session monitoring is in place.

Set up standing order to convert

ActionGateSMS OTPTOTPPasskeyDynamic linkingNotes
Convert from EUR or USDCSCAβœ“βœ“βœ“NoEnvelope SCA at setup; no per-execution challenge. TOTP is permitted here because the standing-order setup carries no per-debit amount/payee to dynamically link.
Convert from other crypto-asset2FAβœ“βœ“βœ“β€”

Set up standing order to convert and pay out

ActionGateSMS OTPTOTPPasskeyDynamic linkingNotes
Convert EUR/USDC and pay out to other crypto-assetSCAβœ“βœ“βœ“No
Convert EUR/USDC and pay out to USDC or EUR -beneficiary not whitelisted2Γ—SCAβœ“βœ“βœ“NoTwo independent SCAs required. One authorises whitelisting the beneficiary; the other authorises the rest of the instruction. Two different second factors must be used where possible; otherwise two separate SMS OTPs.
Convert EUR/USDC and pay out to USDC or EUR -beneficiary whitelistedSCAβœ“βœ“βœ“NoTrusted Beneficiary carve-out: a single SCA at setup is sufficient.
Convert from other crypto-asset and pay out to other crypto-asset2FAβœ“βœ“βœ“β€”
Convert from other crypto-asset and pay out to USDC or EUR - beneficiary not whitelisted2Γ—SCAβœ“βœ“βœ“NoSame rule as above: one SCA to whitelist, one SCA for the rest. Different factors preferred; two separate SMS OTPs accepted.
Convert from other crypto-asset and pay out to USDC or EUR - beneficiary whitelistedSCAβœ“βœ“βœ“No
πŸ“˜

Why TOTP is βœ— on per-transaction EUR/USDC sends and converts

PSD2 Article 97(2) requires the authentication code to be dynamically linked to the amount and the payee. The code displayed by an authenticator app is computed only from a clock and a shared secret - it has no input from the transaction parameters and therefore cannot satisfy this binding. SMS OTP and passkey-issued challenges can whereas TOTP cannot. The implementation enforces this with a server-side reject (INVALID_FACTOR_FOR_REGULATED_DEBIT) and the /wallets/send/initiate/* endpoints surface the rejection at request time.

The same legal text grants exemptions for trusted beneficiaries (the "Row 7" carve-out) and for standing orders that have no per-execution amount/payee to link. In both cases TOTP becomes permissible, which is why the matrix lights it up on those rows.


SCA Workflow

WebAuthn Configuration Prerequisites

Before implementing the Passkey (WebAuthn) flow, you must configure the required verification form in the Striga Portal.

Navigate to:

Settings β†’ WebAuthn β†’ Questionnaires

Create a verification form that will be used during the passkey reset process.

Important: The passkey reset flow requires a verification form to be configured before users can complete the reset process successfully.

Example Configuration

WebAuthn Questionnaire Configuration