Effective:
- 27 February 2024 on Sandbox
- 19 March 2024 on Live
The Step up - Issue one time password endpoint now allows the end-user to re-send a new OTP up to one time, if the first issue a step-up challenge attempt resulted unsuccessful.
To be able to issue another step-up challenge, you need to wait 15 seconds (or more) from the first attempt.
- Triggering the step-up challenge API after 15 seconds from the first attempt then the first attempt will be invalidated and the user will need to respond to the new challenge.
- Triggering the step-up challenge API before 15 seconds will return an HTTP
409 RETRY_IN_15SEC. - The step-up challenge can be retried 2 times after which an HTTP
400 INVALID_REQUESTwill be returned. The user will have to logout and login again to issue a new step-up challenge.
Note: If the end-user receives both the first SMS and the second one at the same time (e.g. a delay in telecom delivering the messages), only the more recent OTP will work.
Affected API endpoints:
More details on how to step-up a token are available in our documentation.