-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OTP NFR added to the Consumer Data Standards #554
Comments
If this is happening in the wild it's pretty disappointing and if an NFR needs to be defined I support it. I note the following statement in the Standards though which makes me think if this is happening in the wild it is non-compliant already:
|
This issue was discussed in the first call of Maintenance Iteration 15. Participants concluded that it may be sensible to defer this proposal, preferring to:
|
Specifying an NFR for guaranteed delivery of an OTP is not technically possibly for a myriad of reasons including SMS delivery delays and email server protections etc. Biza believes a more effective mechanism for resolving this issue is contained within the proposal for NFR and Metrics uplift in DP288 which incorporates a pre authentication and post authentication checkpoint. With this data the DSB/Regulator could contact Holders which appear to have low progression to post authentication state to identify the reasoning for why this might be happening. |
I agree this is hard due to the reliance on external systems or services. Perhaps we could have an aggregate metric reported on the volume and % of Consumers who are hitting the "Resend OTP" per DH? |
Description
The Data Holder authentication OTP implementation is fairly ambiguous in the current standards. We understand this is desired as the OTP method could be a process familiar to consumers of a specific data holder.
A problem we have observed and that we have had consumers raising, is OTPs not arriving in a timely manner. There are two levels to this:
This change request is specifically for the latter of these two.
Area Affected
Authentication process provided by a data holder.
Change Proposed
We propose to add a clear NFR specifying an OTP must arrive in a certain period. This period must be prior to the Data Holder OTP time out and we suggest it should be less than 2 minutes.
The text was updated successfully, but these errors were encountered: