[Barclays] 90 second consent authorization timer.

Description

90 second consent authorization timer.

Once a PSU has authorized and consented to the account request they are given 90 seconds to return to the the "original" window. In a Web-Web interaction this means switching tabs, where in an app based flow this involves switching apps.

(see attached image)

Given that Barclays already has session timeout management that governs the entire consent, it is completely unclear to us what benefit this 90 second window provides from a security profile perspective.

The timing here is quite unforgiving and it's not quite clear to us why this time is not included in the overall consent window. The OB Security Profile does allow for aggressive timing on the authorization_code => access_token swap as part of OIDC, but this is a non-interactive process that does not require PSU interaction.

This is one of many individual concerns TPPs have with Barclays Authorization and adds more pressure on PSUs to move quickly through the process. They may struggle to locate the original tab, and given that authorization has been completed it is unclear to us what reasoning exists for this individual timeout. As such, we feel that unless sufficient justification can be provided, this potentially could be construed as an "obstacle to the provision of [services]" under RTS Article 32 (3)

Technical Impact

None

Workaround

None

Resolution Notes

None

Impact Assessment

None

Status

Assignee

Unassigned

Reporter

Service Desk

Reference

None

Service Desk Reference

OBSD-4577

ASPSP

Query Type

None

Created (Original)

Aug 15, 2018, 4:07 PM

TPP Impact

Medium

Issue Summary

None

OB Environment

Production

Business Impact Severity

None

Share

Yes
Configure