Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OTP NFR added to the Consumer Data Standards #554

Open
jimbasiq opened this issue Nov 2, 2022 · 4 comments
Open

OTP NFR added to the Consumer Data Standards #554

jimbasiq opened this issue Nov 2, 2022 · 4 comments

Comments

@jimbasiq
Copy link

jimbasiq commented Nov 2, 2022

Description

The Data Holder authentication OTP implementation is fairly ambiguous in the current standards. We understand this is desired as the OTP method could be a process familiar to consumers of a specific data holder.

A problem we have observed and that we have had consumers raising, is OTPs not arriving in a timely manner. There are two levels to this:

  • too slow for a good customer experience
  • OTP arriving after a Data Holder's OTP time out period

This change request is specifically for the latter of these two.

Area Affected

Authentication process provided by a data holder.

Change Proposed

We propose to add a clear NFR specifying an OTP must arrive in a certain period. This period must be prior to the Data Holder OTP time out and we suggest it should be less than 2 minutes.

@perlboy
Copy link

perlboy commented Nov 2, 2022

If this is happening in the wild it's pretty disappointing and if an NFR needs to be defined I support it. I note the following statement in the Standards though which makes me think if this is happening in the wild it is non-compliant already:

Data Holders MUST provide a one-time password (OTP) to the customer through an existing channel or mechanism that the customer can then enter into the redirected page

@kirkycdr kirkycdr moved this from Full Backlog to Iteration Candidates in Data Standards Maintenance Apr 28, 2023
@nils-work nils-work moved this from Iteration Candidates to Full Backlog in Data Standards Maintenance May 3, 2023
@nils-work
Copy link
Member

This issue was discussed in the first call of Maintenance Iteration 15.

Participants concluded that it may be sensible to defer this proposal, preferring to:

@biza-io
Copy link

biza-io commented May 30, 2023

Specifying an NFR for guaranteed delivery of an OTP is not technically possibly for a myriad of reasons including SMS delivery delays and email server protections etc.

Biza believes a more effective mechanism for resolving this issue is contained within the proposal for NFR and Metrics uplift in DP288 which incorporates a pre authentication and post authentication checkpoint. With this data the DSB/Regulator could contact Holders which appear to have low progression to post authentication state to identify the reasoning for why this might be happening.

@jimbasiq
Copy link
Author

jimbasiq commented Oct 2, 2024

I agree this is hard due to the reliance on external systems or services.

Perhaps we could have an aggregate metric reported on the volume and % of Consumers who are hitting the "Resend OTP" per DH?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Full Backlog
Development

No branches or pull requests

5 participants