# Cardholder Authentication
source: https://developer.mastercard.com/mastercard-checkout-solutions/documentation/use-cases/card-on-file/card_holder_auth/index.md

Authenticating cardholders can involve a verification method such as an OTP challenge facilitated by the issuer during enrollment.  

Integrators and issuers can take advantage of this authentication method to streamline a secure provisioning and activation process for cardholders.

Below are additional authentication mechanisms to authenticate cardholders:

|                                                                                             Use Case                                                                                              |                               Description                                |
|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------|
| [**Authentication During Card Enrollment**](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/use-cases/card-on-file/card_holder_auth/index.md#during-card-enrollment) | Allow a cardholder to authenticate during card enrollment.               |
| [**Authentication for an Existing Token**](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/use-cases/card-on-file/card_holder_auth/index.md#for-an-existing-token)   | Allow a cardholder to authenticate with a card that is already enrolled. |

## During Card Enrollment {#during-card-enrollment}

1. The consumer logs in to their profile, shops for items and clicks Checkout.
2. Your website displays the list of cards that the consumer has on file or an option to enter new card details.
3. The consumer enters new card details and clicks Pay.
4. Your system sends an **Enroll Card** ([**POST /cards**](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#card)) request with the encrypted PAN details and optional data to support the decision to enroll and tokenize.
5. If the account range is enabled for tokenization, Mastercard Checkout Solutions contacts the issuer to check eligibility for tokenization. The issuer then responds with a tokenization decision. If tokenization is approved, the `DigitalCardData.status` is **ACTIVE** in the enroll card response.
   * If tokenization request is successful but *requires additional authentication* , you will receive a `200` response code. This is indicated with populating the `pendingEvents` object with the pending consumer authentication type, example - `PENDING_SCA`.
   * If the response doesn't contain `PENDING_SCA`, you can optionally call `POST /accountholder/authentication/lookup` to look up the supported authentication methods. The response contains the `authenticationMethodType` object indicating the authentication type, example - `SMS_OTP`.
6. Initiate cardholder's authentication by calling [POST /accountholder/authentication/initiate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#initiate-cardholder-authentication). An authentication code is sent to the cardholder by the issuer.
7. Cardholder enters the authentication code. Complete cardholder's authentication by calling [POST /accountholder/authentication/complete](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#complete-cardholder-authentication).

## For an Existing Token {#for-an-existing-token}

To authenticate a pre-existing token:

1. You can look up the supported authentication methods by calling [POST /accountholder/authentication/lookup](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#authentication). The response contains the `authenticationMethodType` object indicating the authentication type, example - `SMS_OTP`.
2. As the card is already enrolled, call [POST /accountholder/authentication/initiate](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#initiate-cardholder-authentication) to initiate authentication using the `tokenUniqueReference`. An authentication code is sent to the cardholder.
3. Cardholder enters the authentication code. Complete cardholder's authentication by calling [POST /accountholder/authentication/complete](https://developer.mastercard.com/mastercard-checkout-solutions/documentation/api-reference/apis/index.md#complete-cardholder-authentication).
