Strong Customer Authentication

• Strong Customer Authentication is a multi-factor security framework that requires verification using something the customer knows, possesses, and is to prevent fraud.
• It employs methods such as SE/TEE hardware isolation, OTP, device fingerprinting, and cryptographic mutual authentication to secure transactions.
• Emerging SCA models integrate risk assessment with usability optimizations to balance robust security and seamless user experience in mobile and web payments.

Strong Customer Authentication (SCA) is a security requirement formulated to reduce fraud and enhance the assurance of customer identity in payment systems. It mandates that authentication mechanisms involve multiple independent factors—typically encompassing knowledge, possession, and inherence elements. The domain of SCA spans mobile wallets, online banking, IoT, and emerging multi-agent payment protocols, with notable technical evolution in response to both threat landscapes and usability constraints.

1. Definitions and SCA Factorization

SCA is structured around the principle that robust authentication must incorporate at least two mutually independent factors from the set: something the customer knows (e.g., PIN or password), something they possess (e.g., mobile device, card, token), and something they are (e.g., biometric data such as fingerprint or facial features) (Saha et al., 2014). Compliance frameworks (PSD2 in the EU) strictly codify these compositional requirements, establishing baseline structures for secure electronic payments and remote authentication protocols.

In detailed technical terms, SCA protocols often model the authentication process as the verification of an input feature vector $F$:

$$F = \{f_{\text{knowledge}}, f_{\text{possession}}, f_{\text{inherence}}\}$$

where the authentication score is computed as

$\text{Score} = \sum_{i} w_i \cdot I(f_i)$

with $w_i$ representing factor weights and $I(f_i)$ the indicator function for factor authenticity (Saha et al., 2014).

2. Approaches in Mobile Wallet and Payment Systems

The most widely deployed SCA architectures in mobile proximity and remote wallets are characterized by a combination of hardware- and software-based controls:

• Secure Element (SE) and Trusted Execution Environment (TEE): These provide hardware isolation for credentials, with SE situated in SIM cards or embedded chips, and TEE providing secure execution and input paths. PINs and cryptographic secrets are entered through application-controlled keypads with randomized digit positions to mitigate keyloggers. These mechanisms have strong resistance to malware but are not ubiquitously available across device classes (Saha et al., 2014).
• Context-Based Authentication (CBA) and Device Fingerprinting: This approach leverages a set $F = \{f_1, f_2, ..., f_n\}$ comprising device IDs, location, network data, and behavioral telemetry to conditionally apply multi-factor checks. CBA dominates in the absence of SE/TEE and forms the core of risk-based adaptive authentication, especially in devices with heterogeneous security capabilities (Saha et al., 2014).
• One-Time Passwords (OTP) and Public Key Infrastructure (PKI): Time-based OTPs (TOTP) provide short-duration second factors, computed as $TOTP = HOTP(K, T)$ where $K$ is a shared secret and $T$ is the time step (Saha et al., 2014). Although PKI introduces asymmetric keys and certificates, practical deployments are weakened unless private keys are hardware-protected.
• Tokenization (EMVCo Standard): Payment credentials are replaced by single-use tokens after core SCA checks, limiting the abuse scope of data interception (Saha et al., 2014, Alamleh et al., 2023).

3. Specialized Authentication Schemes

Cryptographic Mutual Authentication

Protocols such as StrongAuth (Sadqi et al., 2014) replace passwords with browser-managed asymmetric key pairs, storing encrypted keys in local credential containers and transmitting only hashed or encrypted information. The user’s secret $P_i$ and device-bound keys constitute distinct SCA factors. Session-level nonces and digital signatures over concatenated session variables ($$Sig_{USK_i}(H(ID_i \parallel UPK_i \parallel RBi \parallel SSi))$$) achieve phishing and replay resistance.

Smart Card-Based Two-Factor Authentication

Schemes for resource-constrained networks implement smart card possession ($EID_u$) and password knowledge ($PW_u$), with identity masking and session keys negotiated via elliptic curve cryptography (ECC) between user and gateway—not on sensors (Nam et al., 2015). This architecture maintains low computation (1E + 1A + 2H for sensors) and formalizes anonymity via security models extended from Bellare-Pointcheval-Rogaway, bounding adversary success through reduction proofs.

Mobile Payment Multi-Factor Authentication (MFA)

Recent mobile payment frameworks allocate separate authentication nodes for factors such as funds ($FT$), biometrics ($BT$), and location ($LT$), each validated and combined into a decision function:

$$FT = \text{Amt} \parallel t \parallel \text{enc}(\text{Amt} \parallel t, PK)$$

$BT = HMAC(B, HMAC(t, BPS))$

$LT = HMAC(L, HMAC(t, LPS))$

This architecture overlays NFC transport and policy-time windowing (Alamleh et al., 2023).

4. Usability and Implementation Challenges

Human factors research in UK banking reveals that while hardware tokens and OTPs enhance security, they incur notable cognitive and physical burdens (Krol et al., 2015). Satisfaction inversely correlates with credential entry count ($\rho = -0.48, p < 0.001$), and excessive authentication steps prompt user attrition and sub-optimal adoption. Recommendations include:

• Reducing redundant authentication steps
• Providing alternative second-factor modalities (e.g., SMS, mobile app tokens, biometric options)
• Standardizing terminology across service providers
• Considering implicit authentication modalities for streamlined workflow

These findings indicate that an SCA protocol’s efficacy relies not only on cryptography but also on the optimization of the credentialing sequence and the minimization of friction.

5. Advanced and Emerging Models

Device-Aware Second Factor Authentication

Device-aware 2FA binds the authentication challenge to the device’s unique fingerprint vector $F_{\text{device}}$, automatically transmitted via browser headers and cookies during a response to a secure URL (Jakobsson, 2020). The match condition

$$\| F_{\text{device}} - F_{\text{registered}} \| < \varepsilon$$

must be satisfied to validate possession, impervious to SIM swapping and social engineering attack vectors targeting traditional code-based 2FA.

Token-Based EnroLLMent for SSO

Architectures such as TULIP employ per-device enroLLMent and JWT tokens that are strictly checked for signature and version ($v_{\text{token}} = v_{\text{backend}}$) prior to login page rendering (Hays et al., 21 Jan 2024). This decouples MFA attacks by preventing the display of authentication prompts unless a device is enrolled, thereby mitigating the risk from credential theft and MFA bombing.

Four-Factor Authentication and Steganography

A layered approach in mobile commerce incorporates login-password, OTP, geolocation, and facial recognition into a Babushka algorithm—textual credential data hidden in encrypted images using HMAC-SHA256 and XTEA. This elevates SCA to four-factor robustness, against sophisticated multisource fraud, aligning and exceeding current PSD2 standards (Jain et al., 2023).

Protocol-Level SCA in Multi-Agent Systems

Advances in multi-agent architectures (e.g., Google A2A enhancements (Louck et al., 18 May 2025)) enforce SCA before sensitive data transfer via mandatory MFA, ephemeral tokens scoped to single transactions, and direct user-to-service channels. Models quantify leakage probability as $P_L = 1 - (1 - p_s)^n$ for $n$ adversarial attempts, with $p_s=0$ (perfect SCA) eliminating leakage. Empirical validation documents zero leakage under adversarial prompt injection, compared to 60–100% in the baseline model.

6. Security Analysis and Future Directions

SCA protocol design is increasingly constrained not only by cryptographic primitives but by formal modeling and real-world deployment feedback:

• Security is modeled via reductionist proofs, oracles (e.g., TestUA, TestAKE), and communication complexity evaluation, with empirical performance measured in computation (ms per operation) and communication (bits per message) (Nam et al., 2015, Patel, 2022).
• Recent work integrates decentralized identity (DID), blockchain, and physical unclonable functions (PUF) for order unlinkability and robot verification, with formal guarantees validated using the Tamarin Prover (Patel, 2022).
• Future trajectories anticipate expanded device fingerprinting, mandatory use of TEE, convergence of risk-based scoring algorithms with context-aware multi-factor authentication, and broader application of direct consent orchestration for privacy preservation.

7. Summary Table: Key SCA Techniques in Mobile and Web Contexts

Approach	Factors Utilized	Distinctive Features
SE/TEE Hardware Isolation (Saha et al., 2014)	Knowledge + Possession	Malware resistance, hardware security
CBA & Device Fingerprinting (Saha et al., 2014)	Contextual (Possession)	Adaptive/risk-based checks
Mutual Crypto Authentication (Sadqi et al., 2014)	Knowledge + Possession	Browser-side key management, nonces
OTP/PKI (Saha et al., 2014)	Knowledge + Possession	Time-limited factors, hardware PKI
Device-Aware 2FA (Jakobsson, 2020)	Possession	Device fingerprint matching
Smartcard ECC (Nam et al., 2015)	Knowledge + Possession	Anonymity, lightweight sensor load
Babushka Four-Factor (Jain et al., 2023)	All three + Geolocation	Data steganography, layered security
TULIP SSO EnroLLMent (Hays et al., 21 Jan 2024)	Possession + Knowledge	Gated login, JWT device tokens
SCA in Multi-Agent Protocols (Louck et al., 18 May 2025)	All mandated factors	Explicit consent, direct data flows

These implementations exemplify the technical diversity of SCA and its integration in modern payment, authentication, and access control systems.

---

Strong Customer Authentication thus represents an evolving paradigm that lies at the intersection of cryptography, usability engineering, risk modeling, and regulatory compliance. Leading-edge research continues to refine SCA mechanisms to address the fluid threat landscape, balance hardware limitations with deployment breadth, and minimize the cost to genuine users while maximizing resistance to increasingly sophisticated attacks.