search

wultra / enrollment-server

Base implementation of the enrollment server, usable as the stub for project bootstrapping.
GNU Affero General Public License v3.0
4 stars 1 forks source link

Invalid presence check limit check #761

Closed romanstrobl closed 1 year ago

romanstrobl commented 1 year ago

The presence check limit is checked using SMS OTP count (default limit: 5). This is problematic, because the user can resend a SMS OTP, and then the number of presence check attempts does not correspond to the SMS OTP count. This manifests in the data that some users have up to 8 failed SMS OTPs.

We should consider implementing a different strategy, e.g. using a separate table which stores all presence check attempts and their results, including the SMS OTP result because it belongs to the same SCA verification step.

banterCZ commented 1 year ago

Suggested columns of the new table:

sca_id: [generated]
process_id: [uuid]
identity_verification_id: [uuid]
presence_check_result: null
otp_verification_result: null
sca_result: null