OTP retries are now limited

Effective:

• 27 February 2024 on Sandbox
• 20 March 2024 on Live

To reduce the risk of fraud, we are now limiting the number of times a one-time-password can be submitted incorrectly.

Secure UI Components

When the user inputs a wrong OTP, they will be shown an error message and will be allowed to re-enter a new OTP. If they reach the last try, a message will be shown specifying that is the last try. Once a wrong OTP is inputted for the last try the Secure UI Component will return an error event with code CHALLENGE_LIMIT_EXCEEDED.

Affected Secure UI Components:

• Payment Run Authorisation Secure UI Component
• Account Information Service Secure UI Component

API endpoints

We have introduced 2 new error codes for the HTTP 409 response:

• ONE_CHALLENGE_LIMIT_REMAINING - returned when the user has one try left
• CHALLENGE_LIMIT_EXCEEDED - returned when the user has exceeded their OTP retries

Affected API endpoints:

• Verify a mobile device enrolment challenge
• Verify a step-up challenge