Authenticate cardholders for transactions

Last updated: March 5, 2025

You can perform out-of-band (OOB) 3D Secure cardholder authentication for digital transactions in your mobile app, using the OOB Android SDK or iOS SDK. OOB authentication is a type of two-factor authentication (2FA).

You must:

Complete your Issuing onboarding.
Integrate the OOB Android SDK or iOS SDK.

Once you have completed the setup, the flow to authenticate cardholders is as follows:

Perform Strong Customer Authentication (SCA).
Register the cardholder's device.
Authenticate the transaction.

Perform SCA on the cardholder.

You can generate multiple tokens for different systems during a single authentication session. For example, for sign in, to get an SDK session token, or to get an internal authentication token.

However, you can only generate a single SDK session token for each SCA flow requested.

You can choose to register the device as a background process when you onboard the cardholder in your app, or offer an explicit option to do so. For example, by displaying a button.

Note

You can only register a card for OOB for a single device and app combination. If you register another device for the same card, it overwrites the previously registered device and app combination.

For the iOS SDK, you must be in an asynchronous context to call the SDK's async functions – for example, you can use a Task.

To register the cardholder's device:


1// Prepare the device registration request
2val deviceRegistrationRequest = DeviceRegistration(
3    token = "CardHolder access token",
4    cardId = "CardID",
5    applicationID =  "Unique Application ID",
6    phoneNumber = PhoneNumber(countryCode = "+230", number = "52520782"),
7    cardLocale = CardLocale.EN,
8)
9
10// Initialize device registration with the OOB SDK
11val registerDeviceResult = oobManager.registerDevice(deviceRegistrationRequest)
12registerDeviceResult.collect { result ->
13    result.onSuccess {
14        // Success result (Type:Unit)
15    }.onFailure {
16        val message = provideErrorMessage(it)
17        // Handle errors here
18    }
19}


1// You must be in an async context to call the SDK's async functions – for example, use a Task
2Task {
3  do {
4    let deviceRegistration = try CheckoutOOB.DeviceRegistration(token: "access_token",
5            cardID: "card_id", // 30 characters maximum
6            applicationID: "application_id", // Likely the same as your notification token, which you can retrieve from your back end
7            phoneNumber: CheckoutOOB.PhoneNumber(countryCode: "+44", number: "5006007080"),
8            locale: .english) // or `.french`
9
10    try await checkoutOOB.registerDevice(with: deviceRegistration)
11
12  } catch  {
13    print(error.localizedDescription)
14  }
15}

In the core authentication flow, the cardholder is presented the option to approve or reject the transaction in your app.

Perform SCA on the cardholder again.
Listen for the transaction details webhook you set up for the Android SDK or iOS SDK.
Inject the transaction details into the OOB SDK.
Verify the online card transaction performed by your cardholder.


1// Prepare the authentication request
2val authenticationRequest = Authentication(
3    transactionId = "Acs Transaction ID",
4    token = "CardHolder access token",
5    cardId = "cardID",
6    method = Method.OOB_BIOMETRICS,
7    decision = Decision.ACCEPTED,
8)
9
10// Initialize transaction authentication with the OOB SDK
11val authenticatePaymentResult = oobManager.authenticatePayment(data)
12authenticatePaymentResult.collect { result ->
13    result.onSuccess {
14        // Success result (Type:Unit)
15    }.onFailure {
16        val message = provideErrorMessage(it)
17        // Handle errors here
18   }
19}


1Task {
2  do {
3    let paymentAuthentication = try CheckoutOOB.Authentication(token: "access_token",
4                                                    cardID: "card_id", // 30 characters maximum
5                                                    transactionID: "transaction_id",
6                                                    method: .biometrics,
7                                                    decision: .accepted)
8
9    try await checkoutOOB.authenticatePayment(with: paymentAuthentication)
10
11    } catch {
12      print(error.localizedDescription)
13    }
14}

Authenticate cardholders for transactions

Before you begin

How it works

Perform Strong Customer Authentication

Register the device

Note

Authenticate the transaction