Archived 2023.01.11. Content moved to CDS Guide, One Time Pin (OTP)

Question

As part of the Redirect with One Time Password Customer Authentication process, when prompting the Consumer for the User Identifier, aka Customer ID, can the Data Holder ask the consumer to enter two pieces of data, for further identification?

For example, can the DH  request both account number and mobile number?

Answer

It is expected that a single piece of information is used to uniquely identify a customer.

However, to determine a specific profile related to a customer id, additional information could be requested.

If you are trying to distinguish different customers or profiles with the same ID,  this may be a valid approach.

If you are trying to determine which mobile number to use for OTP, where you have multiple mobile numbers for a customer, then it may be a valid approach, provided the supplied mobile number is validated against a number already on file for the customer. 

It is clearly a security risk to use, for OTP, a number supplied by the customer without validation.