Documentation Index

Fetch the complete documentation index at: https://docs.xendit.co/llms.txt

Use this file to discover all available pages before exploring further.

Authentication (3DS2)

  • Updated on Jun 23, 2026
  • Published on Nov 26, 2024
Prev Next

Authentication, also known as 3D Secure 2 (3DS2), is a crucial part of online card payments. It verifies the shopper's identity to prevent fraud and protect your business. 3DS2 offers both challenge and frictionless authentication flows.

How 3DS2 works

  • Challenge Flow:  The cardholder actively confirms their identity, usually with a one-time password (OTP) sent via SMS or a banking app.

  • Frictionless Flow: The transaction is automatically approved without any action from the cardholder. This happens when the issuer assesses the transaction as low risk based on factors like the shopper's history and purchase amount.

The specific authentication method used depends on the card issuer's risk assessment and the shopper's device and browser capabilities.

Authentication is enabled by default, to accept unauthenticated transactions, request for Optional 3DS on the Xendit dashboard. We will do a risk based analysis and make a decision on disabling authentication on your account.

Authentication Methods

Shoppers may authenticate in a few ways:

  • One-time password: Sent via SMS or generated by a banking app.

  • Banking app: The shopper might be redirected to their banking app to approve the transaction.

  • Out-of-band authentication: The shopper receives a notification from their banking app to confirm the payment.

Important Notes

  • Authentication pages are hosted by the issuing banks. Neither you nor we control these pages or their functionality.

  • If a shopper experiences issues with the authentication page, advise them to contact their bank directly. We track authentication initiation and page loading, but cannot resolve issues within the bank's system.

Liability shift

In the context of card payments, liability shift refers to the transfer of responsibility for fraudulent transactions from you to the card issuer. This typically occurs when you have successfully authenticated a transaction using a method approved by the card network (such as 3D Secure 2.0).

Without Liability Shift: When a fraudulent transaction occurs and you do not utilize 3DS authentication, you are typically held liable for the chargeback and associated costs.

With Liability Shift: When you utilize the appropriate authentication protocols and a fraudulent transaction still takes place, the liability for the chargeback shifts to the card issuer. This protects the merchant from financial loss.

Implementing strong authentication measures is crucial for you to reduce your risk of fraud and benefit from liability shift protection.

Benefits of 3DS2

Implementing 3DS2 authentication is essential to:

  • Reduce fraud risk

  • Shift liability for chargebacks to the issuer

  • Improve customer trust and confidence

Authentication timeouts

During the checkout process, a shopper may be prompted to complete a 3DS authentication challenge by their issuing bank. An authentication is considered "abandoned" if the shopper starts this process but does not complete it. Common scenarios include:

  • Closing the authentication challenge window.

  • Navigating away from the checkout page.

  • Leaving the device idle during the challenge.

How the Timeout Logic Works

To prevent abandoned authentications from remaining stuck in an indefinite pending state, our system utilizes an automated timeout mechanism.

  • Initiation: When the 3DS challenge is generated and presented to the shopper, the authentication status is set to PENDING.

  • The 15-Minute Window: The system initiates a 15-minute countdown. The shopper must successfully authenticate within this timeframe.

  • Timeout Execution: If the shopper does not complete the challenge within the 15-minute window, the system automatically times out the session.

  • Final Status: The authentication is immediately moved from PENDING to a FAILED status.

Managing Timeout Outcomes

Because an abandoned 3DS challenge results in an unauthenticated payment, the transaction itself will ultimately fail.

Key Takeaways for Your Operations:

  • Clear Transaction States: You can rely on the 15-minute timeout logic to provide a clean, final FAILED status for incomplete checkouts.

  • Customer Support: If a shopper inquires about an incomplete order, your support team can accurately identify that the transaction failed due to an abandoned 3DS challenge rather than a payment processing error.