Build Login with OTP Authentication

How can we build Login with OTP Authentication? What would be the logic behind OTP login?

What is OTP?

OTP is generally A 4 to 8 digit One Time Password or One Time Pin. This is valid for only one login session or transaction.

Here, we will discuss logic and steps to build Login Functionality with OTP. We will cover the basics idea behind OTP Login, however you should take precautions and make it secure for using this logic production websites.

How to Make OTP Logic Secure?

  • OTP should be sent only if phone or email is valid.
  • Limit Login – You should limit login attempts so that there is minimum chance to guess the OTP by trying again and again. Therefore, after limit attempts, you should reset/delete the OTP from the database.
  • OTP Expire Time – After a limited time you should make OTP expire. Therefore, always store OTP generation time along with OTP
  • OTP Clear – After successful login, you should clear or reset OTP from the database. So that it can only be used ONCE (That’s why called One Time Password).

Steps behind OTP Login:

  • User will enter the phone number or email address to login
  • if the phone number or email is not valid, send error
  • If the phone number or email is valid, send OTP
  • Store same OTP in the database along with OTP generation time, and OTP Attempt as 0
  • User can enter given OTP to login
    • If OTP is older than 5 minutes, clean OTP in the database, and show an error.
    • If OTP Attempt in the database is higher than 3, clear OTP, and show an error.
    • If OTP is wrong, Increment OTP Attempt in the database and show an error
    • If OTP is correct, clear OTP in the database, and make login success

The algorithm behind OTP Login:

Step 1:	Starts
Step 2:	Enter phone/email to receive OTP
Step 3: if phone/email is not in database
			show invalid phone/email error
Step 4: if phone/email is valid
			insert otp & otp_time in database
			send otp to phone/email
			show otp_sent success message
Step 5: User enters otp to login
Step 6: if attempts > 3
			do reset otp
			show otp expires error
		else if attempts_generation_time older than 5 minutes
			do reset otp
			show otp expires error
		else if otp is not valid
			attempt = attempt + 1
			show login error
		else if otp is valid
			reset otp
			show login success
Step 7: Ends

For additional security, you can track overall attempts in last 60 minutes, and if it is more than 10, block the user (in cookie or database) for 24 hours and show an error.

Congratulations! Chapter Finished. Learn more about the similar topics:
Exercises & Assignments
No Content Found.
Interview Questions & Answers
No Content Found.