# (Conditional) Conduct risk control When certain risks are detected in payment transactions, merchants initiate risk challenges to verify the user's identity. The Mobile Payment Provider (MPP) needs to handle requests such as sending one-time password (OTP) codes and verifying OTP codes to enable merchants to verify the user's identity. ## Workflow The following figure illustrates the risk challenge workflow: ![image](https://intranetproxy.alipay.com/skylark/lark/0/2022/png/39856313/1670984784304-2e2d45c7-4021-448e-8f33-d0537985814e.png?x-oss-process=image%2Fresize%2Cw_1500) Figure 1. Risk challenge workflow The risk challenge workflow contains the following steps: 1. The merchant detects risks and initiates the risk challenge to verify the user's identity (Step 1-2). 2. The ACQP forwards the request to Alipay+ and Alipay+ requests the MPP to send an OTP code to the user by calling the [sendOTP](../api_mpp/send_otp) API with accessToken (Step 3-4). 3. The MPP server sends an OTP code to the user and returns _verifyRequestId_ to Alipay+ (Step 5-6). 4. After receiving _verifyRequestId_, the merchant sends a request to the ACQP to verify the OTP code (Step 7-9). 5. The ACQP forwards the request to Alipay+ and Alipay+ requests the MPP to verify the OTP code by calling the [verifyOTP](../api_mpp/verify_otp) API (Step 10-11). 6. The MPP verifies the OTP code and then returns the verification result (Step 12-15). ## Step 1. Send an OTP code to the user After receiving the request to verify the user's identity, Alipay+ calls the [sendOTP](../api_mpp/send_otp) API to request the MPP to send an OTP code to the user. After sending the OTP code, the MPP returns _verifyRequestId_ to Alipay+. #### Processing logic When handling the **sendOTP** API request, take the following things into consideration: - Handle the request properly, especially the following parameters: - _accessToken_: Each access token can be used to request at least 3 OTP codes per day. - Ensure the following parameters are configured properly in the response: - _verifyRequestId:_ The MPP needs to return _verifyRequestId_ to Alipay+ when OTP sending succeeds. - _result.resultCode_: The following table shows how to set the value of the _result.resultCode_ parameter under different conditions. | **Condition** | **Value of** **_result.resultCode_** | **Required or not** | | --- | --- | --- | | The access token is invalid. | `INVALID_TOKEN` | Recommended | | The access token is expired. | `INVALID_TOKEN`/`EXPIRED_ACCESS_TOKEN` | Recommended | | The number of times the access token is used to request OTP sending exceeds the daily limit. | `OTP_SEND_TIMES_EXCEED_LIMIT` | Recommended | | The user does not exist. | `USER_NOT_EXIST` | Recommended | | The user status is abnormal. | `USER_STATUS_ABNORMAL` | Recommended | #### Sample Alipay+ sends a request to the MPP. ```json { "acquirerId": "1022188000000000000", "pspId": "1022172000000000000", "accessToken": "281010033AB2F588D14B43238637264FCA5A0000" } ``` The MPP returns the result to Alipay+. ```json { "result": { "resultCode": "SUCCESS", "resultStatus": "S", "resultMessage": "Success" }, "verifyRequestId": "0b9fc14b1571815309135213911****" } ``` #### More information For more information about how to handle the **sendOTP** API request and send the response, see [sendOTP](../api_mpp/send_otp). ## Step 2. Verify the OTP code After receiving _verifyRequestId_, the merchant initiates a request to Alipay+ to verify the OTP code. Alipay+ then calls the [verifyOTP](../api_mpp/verify_otp) API to forward the request to the MPP. #### Processing logic When handling the **verifyOTP** API request, ensure the following parameters are configured properly in the response: - _result.resultCode_: The following table shows how to set the value of the _result.resultCode_ parameter under different conditions. | **Condition** | **Value of** **_result.resultCode_** | **Required or not** | | --- | --- | --- | | The OTP code is invalid. | `OTP_VERIFY_UNMATCHED` | Recommended | | The number of times the OTP code is used for verification exceeds the limit. | `OTP_VERIFY_TIMES_EXCEED_LIMIT` | Recommended | #### Sample Alipay+ sends a request to the MPP. ```json { "acquirerId": "1022188000000000000", "pspId": "1022172000000000000", "accessToken": "281010033AB2F588D14B43238637264FCA5A0000", "verifyRequestId": "0b9fc14b15718153091352139110000", "otpCode": "660000" } ``` The MPP returns the result to Alipay+. ```json { "result": { "resultCode": "SUCCESS", "resultStatus": "S", "resultMessage": "Success" } } ``` #### More information For more information about how to handle the **verifyOTP** API request and send the response, see [verifyOTP](../api_mpp/verify_otp).