Mobile and email confirmation - CustomerID

Owned by ubisebastian
2021-01-19
2 min read

Ubisecure CustomerID supports mobile number confirmation by sending a confirmation code via SMS to the phone number that is to be confirmed. Similarly Ubisecure CustomerID also supports email address confirmation by sending a confirmation code via SMTP to the email address that is to be confirmed. These functionalities are present both in registrations and when modifying user attributes in the self-service user interface. However the process is not exactly the same in both locations.

When confirmation is used in registrations the user has the possibility to give the correct code only once because the code is asked in a pop-up window. If the user fails to enter the code correctly and still wants to perform the confirmation then a new code will be sent and that needs to be entered. So there is no possibility to try to enter the code multiple times, but it is possible to try to enter the same code and see if it matches the next generated code.

However when the confirmation is used when updating user attributes it is possible to try to enter the code multiple times because the code is not asked in a pop-up.

In both cases there is a mechanism in place that temporarily locks the possibility to perform the confirmation after enough incorrect code values have been tried. The defaults for this locking are:

  • lockout threshold 
    → 5 tries. The confirmation will be temporarily locked after 5 incorrect tries. If the try after the lockout is also incorrect then a new temporary lockout will be started. So the threshold only defines the number of incorrect tries that don't start a temporary lockout. After that each incorrect try starts one.
  • lockout duration 
    →  20 minutes for mobile. 5 minutes for email. The temporary lockout will last for the configured duration.

You can change the values in eidm2.properties configuration file.

Ubisecure Privacy Policy & Cookie Statement