In the specifications, some aspects of OTP (One Time Password) are specified, and some are not. For example, the length of 4 to 6 digits is specified. However expiry of the OTP is not specified.
The provided OTP must be invalidated after a period of time at the discretion of the Data Holder. This expiry period should provide time for the customer to reasonably complete the authorisation process
In general, our preference is not to be specific with the standards unless there is a need for specificity.
We are expecting Data Holders to select a reasonable expiry timeframe. So far the Data Holders that have implemented have used sensible expiry times for their OTPs.
If Data Holders start adopting long expiry times for OTPs then we are likely to look at being specific in this part of the standards.