Improved user behaviour handling for the Step Up Issue One Time password endpoint

February 22, 2024 · One min read

Effective:

27 February 2024 on Sandbox
19 March 2024 on Live

The Step up - Issue one time password endpoint now allows the end-user to re-send a new OTP up to one time, if the first issue a step-up challenge attempt resulted unsuccessful.

To be able to issue another step-up challenge, you need to wait 15 seconds (or more) from the first attempt.

Triggering the step-up challenge API after 15 seconds from the first attempt then the first attempt will be invalidated and the user will need to respond to the new challenge.
Triggering the step-up challenge API before 15 seconds will return an HTTP 409 RETRY_IN_15SEC.
The step-up challenge can be retried 2 times after which an HTTP 400 INVALID_REQUEST will be returned. The user will have to logout and login again to issue a new step-up challenge.

Note: If the end-user receives both the first SMS and the second one at the same time (e.g. a delay in telecom delivering the messages), only the more recent OTP will work.

Affected API endpoints:

Issue a step-up challenge

More details on how to step-up a token are available in our documentation.