Question
From the Consumer Experience (CX) wireframes it does not look like a customer/member can request another One Time Password (OTP) if they did no receive the initial one or they input the initial one incorrectly.
Can you please confirm that this is the case?
And if so, if the incorrect OTP is input, that the customer/member will need to go back to the User Identifier screen and start the process again?
Answer
This detail was not included in the CX Guidelines but we would recommend allowing the consumer to request another OTP at this authentication step.
The Consumer Data Standards don't preclude multiple retries and are intentionally silent on how many retries to allow. It would be considered good practice to limit the number of failed retries before cancelling the request. Unlimited retries will create an unnecessary security vulnerability. How data holders deal with incorrect authentication details is at their discretion, which is expected to have regard for any identified phishing risks and be in line with the data holder's existing security posture.
An example for requesting another OTP will be included in an upcoming release of the CX Guidelines.
Comments
0 comments
Please sign in to leave a comment.