Checklist ref
2AU.03.08
Area
2AU. Redirect to Web with OTP
Wireframe ref
08
Type
Technical Standard
Requirement level
MUST
Participant
Data Holder
Statement
Where a data holder supports the ‘Redirect to Web with OTP’ flow: • The provided OTP MUST be invalidated after a period of time at the discretion of the data holder. This expiry period SHOULD facilitate enough time for the customer to reasonably complete the authorisation process. NB: This is a subset of the Technical Standard referenced.
Reference
Security Profile, Credential Requirements, One Time Password Credential Requirements | CX Research 12, 27
Example
Authenticate: Redirect to Web with One Time Password
Version introduced
1.4.0 or earlier
Date introduced
12 August 2020 or earlier
Date modified
22 September 2025
Status
Active