2AU.03.15
15
The delivery mechanism for the One Time Password (OTP) is at the discretion of the data holder but MUST align to existing and preferred channels for the customer and MUST NOT introduce unwarranted friction into the authentication process. In line with CDR Rule 4.24 on restrictions when asking CDR consumers to authorise disclosure of CDR data, unwarranted friction for OTP delivery is considered to include: • the addition of any requirements beyond normal data holder practices for verification code delivery • providing or requesting additional information beyond normal data holder practices for verification code delivery • offering additional or alternative services • reference or inclusion of other documents
Security Profile: Authentication Flows | CDR Rule 4.24 | CX Research 12, 27
Authenticate: Redirect with One Time Password
12 August 2020 or earlier
25 February 2022