Principle
The principle of this scenario is to collect the expression of the customer’s agreement with an OTP sent on his mobile or email (depending of creditor’s agreement scheme). First, the customer receives the OTP on his mobile phone or email. Then, he enters it on the Web interface to validate his agreement regarding the mandate signature/validation.
| Identification on the creditor website | 1. Identification processed on the creditor’s website. |
| Enter the information on the mandate | 2. The creditor inputs the mandate information. 3. Visualization of the mandate as a PDF file and validation of the registered data. 4. OTP delivery via SMS or EMAIL. |
| Signature or validation of the PDF mandate | 5. The debtor enters the OTP and accepts the contract. 6. Generation of an OTU certificate in name of the debtor in case of signature process Or use the organization certificate in case of validation process 7. Signature of the mandate with the certificate. 8. Time stamping and constitution of the evidence (OTP). 9. Preservation of all the evidence for probationary purpose. |
| Delivery of the service | 10. Once the mandate is signed, the creditor can deliver the service. |
OTP Generation:
The OTP is sent to the debtor by the SPS notification module, using an SMS or EMAIL. When the OTP is generated, it is stored in the signature session. The OTP is a numeric digit code that comes with a generic information message.
In validation mode, and if the creditor parameter is set to TRUE, the user can change only one time his phone number or his email address. The new data filled in is stored in tracer and a new OTP is sent. It’s not possible to change from a channel to another one (for example to change SMS channel to Email channel)
The code generated is only valid for a short period of time (i.e. 5 minutes).
OTP Input:
Once the user enters his information, the user has to stay on the signature page and wait for the OTP depending of his OTP agreement scheme. Once he received the OTP he has to enter it and must accept the terms and the conditions. On the display page, a Frequently Asked Questions (FAQ) section will be displayed to explain to the end user the behaviour to adopt depending on the
following cases:
Cases following the OTP input:
-
If the user inputs the right OTP: The user is sent on a waiting page indicating that the mandate is under signed process and then he is redirected to the summary page.
-
If the user inputs the wrong OTP: The user can try to type it again or request another confirmation code.
-
If the user gives up: The option of going back to the source site and choose another payment option is still available.
-
If the user does not receive the OTP: The user can ask that SPS signature module resend the OTP.
For security reasons the number of retries on the same SMS and the number of SMS sent per signature is limited.
Specific Error Cases:
The following error cases are aimed to complete the above general error cases:
-
When the user tried too many times (i.e. 3) to enter an OTP, he has to ask a new one;
-
If the user has already asked for too many text messages, the session’s state is set to failed and the user is redirected to the summary page indicating that the mandate signature process could not be established;
-
If the user never goes to the end of the workflow, the session’s state will be flagged as aborted by the user and in consequence the session will be no longer available marking it as expired.
Backup solution to send the OTP
SPS Signature uses an external service to send OTP code by Email or SMS. If there is a problem on this service, and the signature is done in validation mode, SPS Signature will send the OTP code by Email using another solution. It will be done transparently for the user. If the agreement is Email, there won’t be any change in the workflow. If the agreement is SMS, and if the Email agreement is authorized, the user will be asked for his email if this information is missing, and the OTP code will be sent by Email (agreement mode will be switched).
Advantages / Disadvantages
The following table presents the advantages and disadvantages of the agreement using OTP over SMS and EMAIL.
| Advantages | Disadvantages |
|---|---|
| The process is simple and perfectly adapted for the know customers | The client must have a mobile phone or email address |
| The process is one real time | The authentication process is not suitable for prospects |
How to use this Workflow
This workflow is applied when the client is already known by the creditor. In order to use the kinematic of the agreement using OTP over SMS and EMAIL, the creditor has to ensure the client authentication.
This solution therefore can be chosen only by creditors which:
- Have a way to strongly authenticate their customers on their website;
- Have their client’s mobile phone numbers or email addresses.
Evidence Elements
The collected evidence that is common to all processes is listed in Evidence chapter.
Specific evidence of the agreement using OTP over SMS and EMAIL is the following:
-
Technical details over the agreement process:
- Source (i.e Browser);
- Date of request
- Cookie values
- IP Address
- User Agent
- SMS /emailrequest id;
- Telephone number; or the email
- OTP value generatedby SPS/email
- Text and OTP value sent by SMS/email
- OTP Received from the user;
-
Technical details over the OTU Signature:
- Certificate produced;
- Information about the debtor (First and Last Name and Gender)
- The validation of the document signed:
- Digital Signature of the hash of the document;
- Algorithms used.