Archived 2023.08.13. Content moved to One Time Password (OTP)
Question
As part of the Consent Flow in the Energy sector, if the Data Holder (DH) chooses to use an email address for the Customer ID, can the OTP be sent to the email address used for Customer ID?
Answer
Technically, this may not be against the CDS as there is no specific instruction against it. The general recommendation from a security perspective would be not to send the OTP to an email address.
Given the potential and threat of security breaches, if DHs began to adopt this approach then the DSB would almost certainly be required to update the CDS to prohibit it.
Comments
0 comments
Please sign in to leave a comment.