Guides
PortalContact Sales
Start typing to search…
  1. Authentication

Challenge Methods

Challenge Methods are individual authentication actions that verify cardholder identities during 3DS transactions. Apata supports multiple methods covering all three SCA factors.

Knowledge

Something the cardholder knows (password, security questions).

Possession

Something the cardholder has (phone, device).

Inherence

Something the cardholder is (biometrics, behaviour).

Available Challenge Methods

Possession Factor

Methods that prove the cardholder has access to a registered device.

SMS OTP

The SMS OTP challenge method sends a 6-digit one-time passcode via SMS.

FeatureDescription
SCA FactorPossession
Default DeliveryTwilio with alphanumeric sender ID
Delegate OptionsSend, Verify, Cancel

Key Features:

  • Customizable SMS text and sender ID
  • Support for multiple phone numbers per card
  • Delegate to issuer's SMS infrastructure

View Full Guide →

Email OTP

The Email OTP challenge method sends a 6-digit one-time passcode via email.

FeatureDescription
SCA FactorPossession
Default Sender[email protected] (customizable)
Delegate OptionsSend, Verify, Cancel

Key Features:

  • Fully customizable email templates
  • Custom sender address support
  • Delegate to issuer's email infrastructure

View Full Guide →


Possession + Inherence Factor

Methods that can satisfy multiple SCA factors simultaneously.

Delegate SCA (OOB)

The Delegate SCA / OOB method sends a push notification to the cardholder's banking app for biometric authentication.

FeatureDescription
SCA FactorsPossession + Inherence
AuthenticationFace ID, Fingerprint, or PIN
Success RateHighest of all methods

Key Features:

  • Best user experience
  • Covers two SCA factors in one step
  • Push notification to banking app

View Full Guide →


Knowledge Factor

Methods that prove the cardholder knows secret information.

Static Password

The Static Password method requires cardholders to enter their pre-set password.

FeatureDescription
SCA FactorKnowledge
StorageApata or Delegate to issuer
Delegate OptionsVerify, Cancel

Key Features:

  • Simple configuration
  • Optional delegate verification
  • Commonly used as second factor

View Full Guide →

Knowledge-Based Authentication (KBA)

The KBA method presents security questions that the cardholder must answer correctly.

FeatureDescription
SCA FactorKnowledge
Question TypesString, Single Select, Multi Select, Date
Data SourceCard Link API

Key Features:

  • Flexible question types
  • Configurable pass/fail thresholds
  • Supports hashed answers for security

View Full Guide →


Inherence Factor

Methods that verify the cardholder's unique characteristics.

Behavioural Biometrics

The Behavioural Biometrics method analyzes cardholder behaviour and device characteristics.

FeatureDescription
SCA FactorInherence
FrictionZero (invisible to cardholder)
RequirementMust combine with another method

Key Features:

  • Device fingerprinting
  • Behavioral pattern analysis
  • Automatic fallback on failure
⚠️

Browser-only. Does not support app-based transactions.

View Full Guide →

Method Comparison

MethodFactor(s)FrictionDelegate SupportBest For
Delegate SCAPossession + InherenceLowYesPrimary authentication
SMS OTPPossessionMediumYesWide compatibility
Email OTPPossessionMediumYesAlternative to SMS
Static PasswordKnowledgeMediumVerify onlySecond factor
KBAKnowledgeHighNoFallback method
Behavioural BiometricsInherenceNoneNoSecond factor (browser)

Challenge Methods vs Challenge Profiles

Individual authentication actions:

  • Single authentication step
  • Verifies one or two SCA factors
  • Building blocks for profiles

Examples:

  • SMS OTP alone
  • Static Password alone
  • Delegate SCA alone
⚠️

Important: Using individual challenge methods directly is deprecated. Always create a Challenge Profile, even for single-method configurations. This ensures easier future expansion and consistency.

Common Configurations

Recommended: OOB with SMS Fallback
Challenge Profile
├── Option 1: Delegate SCA (OOB)
└── Option 2: SMS OTP + Static Password

Settings: Fallback on Error = true

Best user experience with reliable fallback.

Two-Factor: SMS + Password
Challenge Profile
└── Option 1: SMS OTP + Static Password

Simple two-factor setup meeting SCA requirements.

Low-Friction: SMS + Biometrics
Challenge Profile
└── Option 1: SMS OTP + Behavioural Biometrics

Fallback: KBA (if biometrics fails)

Minimal friction with behavioral analysis.

Related Topics

  • Challenge Profile – Combine methods into authentication flows
  • Challenge Interface – Customise the authentication UI
  • SCA – Strong Customer Authentication requirements
  • PSD2 – Payment Services Directive 2

Updated 24 days ago