Stripe Decline Code · Glossary
authentication_required fires when the issuing bank or card network requires the cardholder to complete additional identity verification — typically 3D Secure (3DS) — before the transaction can be authorized.
What It Means
What It Means
authentication_required fires when the issuing bank or card network requires the cardholder to complete additional identity verification — typically 3D Secure (3DS) — before the transaction can be authorized. Unlike most decline codes that represent a final decision, authentication_required is a redirect signal, not a rejection — the bank is willing to approve the transaction, but only after the customer completes an authentication challenge. It is one of the most recoverable decline codes in the taxonomy because the underlying card is valid, the account is funded, and the only obstacle is completing a verification step.
Not sure if this code is recoverable for your specific situation? Use the Stripe Failure Lookup →
Why It Happens
Why It Happens
What NOT to Do
What NOT to Do
✕ Don't treat it as a hard decline and abandon the payment
authentication_required is explicitly a recoverable, action-required signal — not a final refusal. The bank is willing to authorize the transaction — it just requires the customer to authenticate first. Treating it as a final hard decline and routing it to a payment method switch email discards a highly recoverable payment unnecessarily.
✕ Don't retry silently without triggering a customer authentication flow
Silent background retries — the correct first response for soft declines like try_again_later — are entirely wrong for authentication_required. A silent retry fires the same charge with the same authentication gap and gets the same decline every time. The only valid retry for this code is one that brings the customer back to complete a 3DS challenge.
✕ Don't skip the 3DS integration audit before building customer outreach
A significant portion of authentication_required failures in EU, UK, and Indian markets are caused by a broken or incomplete 3DS integration on your Stripe implementation — particularly for recurring MIT charges. Sending customer emails before auditing your 3DS setup means you're pushing customers through authentication flows that may still be broken, generating frustration without resolution.
Retry Timing
Retry Timing
authentication_required is a customer-authentication-required retry code — all retries must be paired with a 3DS challenge flow, not a silent background attempt.
Recovery Benchmark
Recovery Benchmark
| Metric | Result |
|---|---|
| Overall recovery rate | 50–70% |
| Recovery via 3DS authentication link (customer completes) | 60–75% of those who click |
| Recovery via 3DS integration fix (developer-side) | 80–90% of the tech-issue subset |
| Recovery via alternate payment method | +12–18% additional lift |
| Recovery with silent retry (no 3DS) | ~5–8% |
| authentication_required as % of EU/IN failed payments | 25–40% in regulated markets |
A 65%+ overall recovery rate is achievable with a correctly implemented authentication link workflow and a fast Day 0 email. The most impactful split is identifying the 3DS integration bug subset — teams that audit their 3DS setup and fix broken recurring payment flows recover the entire affected cohort in one engineering push, often recovering 80–90% of that specific failure group instantly.
At Scale
At Scale
Automated
Manual Escalation
FAQs
FAQs
What does the Stripe authentication_required decline code mean?
authentication_required means the issuing bank requires the cardholder to complete additional verification — typically 3D Secure — before authorizing the transaction. It is not a final rejection; the bank is willing to approve the payment once authentication is completed. The card is valid, the account may be funded, and recovery is highly achievable by sending the customer a 3DS authentication link.
What are the most common causes of an authentication_required error in Stripe?
Common causes include SCA and PSD2 mandates requiring 3DS authentication in EU and UK markets, RBI Additional Factor Authentication mandates in India, recurring MIT charges rejected by issuers requiring fresh CIT authentication, the bank's fraud engine escalating to a required authentication challenge, and broken or incomplete 3DS integration on your Stripe checkout or subscription setup.
How do I recover a payment after a Stripe authentication_required decline?
Send the customer a Stripe-hosted payment link that triggers a fresh Customer-Initiated Transaction with a 3DS challenge. Once the customer completes authentication, immediately charge the outstanding invoice against the newly authenticated payment method. After successful re-authentication, update the subscription's default payment method with correct setup_future_usage parameters to prevent the same failure on the next billing cycle.
Can authentication_required be caused by a Stripe integration issue?
Yes, and this is one of the most impactful root causes. If your Stripe integration doesn't correctly pass setup_future_usage: 'off_session' on the initial CIT, or if the mandate parameter is missing on MIT recurring charges, issuers in EU, UK, and Indian markets will systematically return authentication_required on every recurring charge. Fixing this integration bug recovers the entire affected customer cohort instantly.
What is the recovery rate for Stripe authentication_required failures?
Overall recovery rates are 50–70%. Customers who complete the 3DS authentication link convert at 60–75%. Developer-side 3DS integration fixes recover 80–90% of the technical subset immediately. Alternate payment methods like PayPal and bank transfer add 12–18% additional lift for customers who cannot complete 3DS authentication.
What to do next
You are here
authentication_required
Decline code reference
Check recoverability
Stripe Failure Lookup
See what's recoverable — and what isn't →
Then
Sign up for Recurflux
Automate recovery for every decline code →
Before you retry
Before you retry
Most authentication_required failures are retried on the wrong schedule — which recovers the payment about 30% of the time. The other 70% leaves permanently. See what this code is actually costing at your MRR before deciding how to handle it.
Stop leaving revenue on the table
Recurflux handles code-specific retry scheduling, adaptive dunning, and dispute intelligence across all 30 Stripe decline codes. Connect in under 5 minutes.