- Users may have more than one login at a bank or may be using spouse login along with their own login in Client product.
During re-authentication when user is delegated to be authenticated at bank website. User may enter different valid login than what was used originally. This results in clients getting different set of accounts.
- Try to solve by comparing before and after new re-auth token may not be reliable as accounts can get closed or both users may be joint accounts.
In absence of actual user context (an identifier of login user) it will be harder for clients to determine if user entered different set of login credentials.
- Current value of “sub” field is not reliable as it may change when user goes through re-auth flow.
- Add a unique non-PII/non-PCI identifier as part of ID Token that unique/immutable within a provider/banks will help resolve this issue. Where clients can compare before and after identifier.