Archived 2023.08.13. Content moved to One Time Password (OTP)
As part of the Consent Flow in the Energy sector, if the Data Holder (DH) chooses to use an email address for the Customer ID, can the OTP be sent to the email address used for Customer ID?
Technically, this may not be against the CDS as there is no specific instruction against it. The general recommendation from a security perspective would be not to send the OTP to an email address.
Given the potential and threat of security breaches, if DHs began to adopt this approach then the DSB would almost certainly be required to update the CDS to prohibit it.