How to ask a user to verify their identity through OTP in the same flow as verifying their mobile number?
I'm working on integrating an OTP (one-time password) through SMS before a user is allowed to change their personal details. It's a banking environment, so the verification must be done regardless of circumstance. Users could be leaving their browser open while logged in, and that's not a risk the fraud department is willing to take.
With simple fields like name and address, asking for an OTP wouldn't be an issue. However, we also have to ask a user to do this when they want to change their mobile number or email address. That step contains its own verification aspect. We are essentially stacking verifications; one to prove the person is who he says he is, and one to prove the number is theirs.
Is it possible to verify both the user identity and the mobile number/email without bombarding the user with identification requests for every single change? And if not - how can this be made as painless as possible?
And in a similar note; how to deal with sending an OTP to a number that's no longer in use? Users that want to update their phone number will be sent a code to their listed number first.