Skip to main content
What is Strong Customer Authentication (SCA)?

Security, SCA

Updated over a week ago

At Qonto, guaranteeing the security of your accounts is our priority.
Therefore, it is mandatory to activate strong authentication (SCA - Strong Customer Authentication), according to the provisions of the second European Payment Services Directive (PSD2) entered into force in September 2019.

How does Strong Customer Authentication work?

SCA (Strong Customer Authentication) involves the use of two authentication factors from three possible categories:

  • Information known only to the user (such as a password)

  • A device or object they own (such as a smartphone or card)

  • A characteristic of its own (such as a fingerprint or facial scan)

⚠️ Important:

  • SCA notifications are only intended to validate transactions.You cannot “cancel” a transaction via SCA. If someone asks you to “cancel” a transaction by validating a notification on your phone associated with your Qonto account, you're probably the target of a fraud attempt.

  • Qonto will never ask you to validate or “cancel” fraudulent transactions to third-party accounts, change your password with a temporary password, add a device and/or new members/administrators.

Strong authentication aims to prevent fraud, to protect your Qonto account when performing most sensitive actions. For example, adding new beneficiaries, members or administrators, pairing new devices, or validating transfers, are actions subject to strong authentication.

In practical terms, SCA involves associating a smartphone with your account. Every sensitive operation you or your teams carry out must be validated by approving a notification in the Qonto app. With just one click, you can confirm the legitimacy of the transaction and guarantee the security of your account.

💡 Good to know: strong authentication lets you associate a single device per profile and is available on phones using iOS, Android or HarmonyOs (Huawei/Honor).

Strong Customer Authentication and fraud

Strong authentication ensures that you are the person to validate all sensitive transactions on your account. On the other hand, remain vigilant: never approve a transaction for which you are not the originator.

Fraudsters could trick you into validating fraudulent transactions, such as money transfers. If they try to take control of your Qonto account, they could get you to approve a new administrator, change your password, and/or authorize a new device.

It is imperative to carefully check each operation to approve only legitimate ones, thus avoiding any fraud or unauthorized access.

👉 Read our articles on the most common fraud techniques and best practices to protect yourself against scams:

Why strong authentication rather than another two-step validation system?

Previously, Qonto offered two-factor authentication (2FA - Two-Factor Authentification). This was a two-step validation, for which the Qonto user received a code by SMS to be entered to validate the operation.

Two-factor authentication today does not offer an adequate level of protection, as it has significant security flaws (see box), so it has been replaced by SCA.

⚠️ To get around the two-step validation, fraudsters can impersonate their victim to his or her telephone operator in order to retrieve the line's SIM card. This technique, known as SIM swapping, enables them to receive all the security codes linked to their victim's account directly on their own phone.

Did this answer your question?