2AU.00.27
27
Data holders MUST NOT introduce unwarranted friction into the authentication process. In line with CDR Rule 4.24 on restrictions when asking CDR consumers to authorise disclosure of CDR data, unwarranted friction for authentication flows and methods is considered to include, but is not limited to: • The addition of any requirements beyond normal data holder practices for authenticating the consumer, including, but not limited to, One Time Password (OTP) verification code delivery. • Providing or requesting additional information beyond normal data holder practices for authenticating the consumer, including, but not limited to, OTP verification code delivery. • Offering additional or alternative services. • Referencing or including other documents.
Authentication Standards, Common Authentication Standards, Authentication: Friction
Authenticate: Redirect to Web with One Time Password
22 September 2025