Issuin icon

One-time password (OTP) authentication

Learn how to add the cardholder's mobile phone number, email address, and a password to support 3D Secure.

If you choose to enroll your Adyen-issued card in 3D Secure through the one-time password (OTP) flow, the cardholder goes through the following process when making an online payment:

  1. The cardholder is redirected to a 3D Secure authentication page. In this page, they must provide:
    • Their password.
    • A one-time password (OTP) sent through SMS or email.
  2. The cardholder's credentials are validated against the authentication data that you set for the card.
    • If the authentication is successful, the payment is sent to Adyen for authorisation.
    • If the authentication fails, the payment fails.
  3. If the payment authorisation is approved, the payment is completed.

Add authentication data

To enroll the Adyen-issued card in 3D Secure, add the cardholder's mobile phone number, an email address, and a password when issuing cards.

When creating the card, include the authentication object containing:

  • A password, which is required for both SMS and email OTP challenges.
  • A phone object that includes the number and type set to mobile.
  • An email address.

By default, email OTP is a lower-priority method than an SMS OTP. However, in some countries, we always use email OTP. The OTP method is selected based on the cardholder's credentials and a predefined order of preference:

  • If a phone number is available, the OTP is sent via SMS.
  • If no phone number is provided, it falls back to email, if available.
  • If neither contact method is provided, the transaction is declined, because the OTP cannot be sent.

Using the contact details and password, Adyen enrolls the card in 3D Secure.

Here is an example of how you can create a card with authentication data to support 3D Secure authentication.

Update authentication data

You can add the authentication object at a later time or update the cardholder's phone number, password or email address by sending a PATCH /paymentInstruments/{id} request.

Get updates

You can use the cardholder authenticated webhook to get notified about the status and outcome of the cardholder's 3D secure authentication. Regardless of outcome of the authentication process, we send the balancePlatform.authentication.created webhook.

To keep track of webhooks, make sure that your server can receive and accept webhooks.

The balancePlatform.authentication.created webhook contains the following information.

Next steps

Before your users can start making purchases with the newly issued card, you will have to choose how to fund the accounts, process payments, and manage the card lifecycle.

required
Process payments

Choose how to authorise card payments.
required
Manage funds

Choose how to allocate funds to balance accounts.
3D Secure transactions

Understand failed, out of scope, and exempted transactions.