Identity challenges are used as additional protection to verify the user’s identity. They are used during actions that require more security, such as changing an address or creating a transfer. Unlike multi-factor authentication, identity challenges occur while the user is already logged in and authenticated.
Factors for Identity Challenges
Identity challenges can be completed in a variety of ways, including having the customer answer security questions, or providing a one-time password (OTP) sent to a phone number or email address. The method of communication used to verify an identity is known as a challenge factor.
A challenge factor is not just the method of validation. For example, a OTP is a method of validation. The OTP can be sent to an email, voicemail or SMS. Each method for sending a OTP is a standalone challenge factor.
A complete list of challenge factors supported by the API is available in the API documentation.
The available challenge factors for identity challenges depends on a Financial Institution’s (FI) requirements. Not all options may be available at all FIs and not all options may be available for every action. For instance, a FI may allow security questions for a change of address, but require phone or email verification for creating an external transfer.
Customers Information for Challenge Factors
Customers may not be able to offer all factors for an identity challenge. For example, if a customer does not have a cell phone information available, they cannot use challenge factors that require SMS. When a customer can use multiple challenge factors for an identity challenge, they are often given a choice for which factor they want to use.
A customer may be unable to do an identity challenge if they do not have the appropriate contact information or registered security questions under their account. For example, the customer may not have a mobile phone number registered, but the action they are doing requires a OTP over SMS. If the FI does not have an alternative challenge factors available, or the customer does not have the correct data entered into their account to do other challenge factors, the customer is unable to do the action requiring an identity challenge.
Integrating Identity Challenges into API Calls
When a API function requires an Identity Challenge in order to continue, it will respond with a
401 -- Challenge Required error. Upon receiving this error, the application should prompt the user to complete an eligible identity challenge using the information provided in the response.
For a detailed guide on programmatically handling an Identity Challenge, view our Completing an Identity Challenge guide.