Stripe authentication_required — 3DS recovery

authentication_required is the bank saying: "I'll approve this charge, but I need to verify the cardholder is actually present." That verification is 3D Secure (3DS) — usually a push notification to the customer's banking app, sometimes an SMS code, occasionally a voice call.

This is increasingly common globally. In Europe, PSD2/SCA rules require 3DS for many recurring charges. In the US and elsewhere, issuers are opting in for high-risk or unusual charges.

Even if you properly set up off_session payments and passed 3DS at signup, the issuer can still request fresh authentication for any of:

• PSD2 mandates periodic re-authentication — typically every 6 months for EU cards
• Charge amount or cadence changed in a way the bank considers "new"
• The customer's bank is rolling out stricter SCA enforcement
• Fraud signal suggests re-authentication would be prudent

Your code can be perfect and still see this decline. Fixing it is always a customer action.

1. +1h: email with Billing Portal link. The portal handles the 3DS flow — customer just re-confirms their card.
2. Don't auto-retry — the bank will keep demanding 3DS until the customer completes it.
3. +24h: second email, more direct.
4. +48h: SMS — 3DS-required customers respond faster to SMS than email because the flow itself is mobile-first.
5. +7d: final email + subscription pause.

Hi [name], your bank needs one-time verification before we can charge your card again. This is a standard bank security check — not a problem with your card or account. Click below and your bank will prompt you to approve the charge (takes 20 seconds).

[Verify your card →]

Avoid the acronyms "3DS" or "PSD2." Most customers don't know what they mean and will assume they're being phished.