Question
Is an energy sector Data Holder (DH) compliant with the CDR authentication standards, if, during the consumer authentication flow:
- the DH presents the consumer 'One Time Password' (OTP) as stated in the standards; and
- then presents a 2-factor-authentication (2FA) for customers who have specifically requested 2FA.
Answer
The Data Standards Body (DSB) does not certify compliance for CDR implementations.
However, the following statement in CDS OIDC Hybrid Flow applies:
"The delivery mechanism for the OTP is at the discretion of the Data Holder but MUST align to existing and preferred channels for the customer and MUST NOT introduce unwarranted friction into the authentication process"
An additional authentication mechanism (2FA) would add friction. Instead use the nominated 2FA mechanism to provide the OTP rather than giving two OTPs in two different channels.
Comments
0 comments
Please sign in to leave a comment.