Strong Customer Authentication (SCA) is a regulatory foundation for secure access and transactions in digital finance. It’s been a requirement in the European Union since PSD2 came into force, and it applies to a wide range of user actions such as login, initiating payments, viewing sensitive data, managing trusted beneficiaries, and more. For most institutions, complying with SCA today means maintaining a patchwork of tools: SMS OTPs, mobile apps, push notifications, and biometric prompts. While functional, these systems are inconsistent across countries, expensive to maintain, and increasingly frustrating for users.
The rollout of the European Digital Identity Wallet (EUDI Wallet), set out under eIDAS 2.0, presents a new approach. One that is not only compliant with current regulations, but also simpler, more secure, and interoperable across the EU. Under Article 5f of eIDAS 2.0, private sector relying parties (including banks and other financial institutions) will be required to support EUDI Wallet based authentication no later than 36 months after the relevant implementing acts are passed. If a user opts to use their EUDI Wallet, regulated entities will have to accept it as a valid method for strong authentication.
Beyond regulatory pressure, the wallet offers a clear technical advantage. By issuing verifiable credentials directly to a user’s device and binding them to secure cryptographic keys, banks can use a single method to satisfy multiple SCA use cases reducing cost, complexity, and risk. Rather than supporting and updating a long list of national apps and device specific methods, institutions can tap into a harmonised, standards based wallet architecture. One that’s already being piloted and stress tested across Europe.
Today’s SCA implementations often cause friction, especially in cross-border transactions or when a user switches devices. SMS OTPs are vulnerable to SIM swap attacks. Push based authentication sometimes fails to reach the user in time. App based flows often require app switching or multiple screens. These problems create drop off, failed logins, and customer support load. They’re also one of the main reasons for abandonment during online checkout. For users, the process often feels inconsistent and opaque. For banks, it’s expensive to maintain and vulnerable to attack.
The EUDI Wallet improves this with a much tighter, clearer flow. A key use case where this stands out is payment authorisation. Under the EUDI Wallet model, the user stores a verifiable credential (called a payment attestation) on their device. This credential is issued by the financial institution and cryptographically bound to the device through a private key. When the user initiates a payment, the bank sends a request containing transaction data, including the amount, recipient, and a one time nonce. The wallet displays these details clearly to the user, who then approves the payment by signing the data with their device bound key. The bank receives the signed package, verifies the key binding, and confirms the transaction.
This method satisfies all requirements for SCA, including dynamic linking. The signed data contains the exact payment amount and recipient. If these are altered in any way, the signature becomes invalid. That’s an immediate improvement over legacy flows, where details are often displayed in a separate channel or obscured by technical formatting. More importantly, the user has a single interface, their wallet, for managing authentication across multiple financial providers.
The wallet also maps directly to the three factor model required by PSD2. The possession factor is represented by the wallet credential, which is device bound and protected by secure hardware. The inherence or knowledge factor is handled by biometric login or PIN, both of which are supported natively by the wallet. This makes two-factor authentication easy to implement, without relying on third party apps or systems. It also creates a consistent user experience regardless of which bank or country is involved.
Article 5f introduces a critical legal requirement: that private sector relying parties in regulated industries must accept the EUDI Wallet for online identification and authentication, provided the user requests it. What remains a point of discussion is how the EUDI Wallet fits into the broader SCA framework. Some interpret the regulation to mean that the wallet can serve as a complete replacement for existing SCA methods, as it includes possession and inherence/knowledge factors within a single secure environment. Others argue that the wallet acts as one of the two required factors and still needs to be paired with another method.
Technically, the wallet is capable of fulfilling both required authentication factors. It contains a device bound private key and supports PIN or biometric verification. From a regulatory standpoint, this satisfies the two-factor requirement under PSD2. However, implementation guidance may vary by national authority, and financial institutions should track local interpretations to avoid non-compliance.
Under the hood, the EUDI Wallet flow requires adoption of emerging standards. This includes credential formats such as SD-JWT VC and MDOC, and protocols like OpenID4VC to facilitate presentation and verification. Trust frameworks, revocation mechanisms, metadata handling, and key lifecycle management are also part of the stack. Many of these standards are still being finalised through pilot projects and industry working groups. But the direction is clear: a common infrastructure that reduces complexity and increases interoperability across sectors.
Large scale pilots like the European Wallet Consortium (EWC) and NOBID are already trialling wallet based SCA flows in real settings, involving banks, wallet providers, and national identity services. These pilots help refine the technical flows, establish best practices, and identify gaps in the standards. They’re also shaping the technical specifications that will feed into the EU’s Architecture and Reference Framework (ARF), which will be formalised in the upcoming Implementing Acts.
The challenge for financial institutions is timing. While the legal requirement may still be a few years away, the reality is that implementing wallet based SCA requires deep integration across compliance, product, and engineering. You’ll need to issue and verify verifiable credentials, manage key binding and trust metadata, and support cross device wallet flows. Waiting until the last minute increases the risk of rushed integrations, regulatory non-compliance, and reputational damage.
There’s also a cost consideration. Building this capacity in house means hiring and maintaining dedicated legal, cryptographic, and technical teams (often at significant expense). And with standards still evolving, internal teams will face constant updates and rework.
At Vidos, we make digital identity adoption easier for financial institutions and other regulated providers. Our verification services are built to work with EUDI compatible wallets, and we offer tools to issue, verify, and manage credentials in line with eIDAS 2.0 standards. Whether you’re just exploring wallet based authentication or actively planning your rollout, Vidos can help you move faster, avoid complexity, and stay ahead of regulatory deadlines.
We work closely with institutions to design wallet flows that meet security requirements and support a better user experience. Our platform supports key protocols like OpenID4VC and credential formats including SD-JWT VC, so you’re ready for compliance from day one. Getting started with digital identity doesn’t have to mean building from scratch. With Vidos, it’s faster, cheaper, and more reliable to begin adopting strong, wallet based authentication today.
