Strong client authentication means that whenever the user initiates an electronic payment, the payment service provider must request at least two elements from three categories:
(i) something only the user knows, for example a static password;
(ii) something that only the user has, for example, an authentication device (token) or a mobile phone;
(iii) some feature inherent to the user, for example, a biometric element.
At least one of the elements must be non-reusable, non-reproducible and unsusceptible to be surreptitiously obtained by third parties.