Build Login with OTP Authentication
How can we build Login with OTP Authentication? What would be the logic behind OTP login?
What is OTP?
OTP is generally A 4 to 8 digit One Time Password or One Time Pin. This is valid for only one login session or transaction.
Here, we will discuss logic and steps to build Login Functionality with OTP. We will cover the basics idea behind OTP Login, however you should take precautions and make it secure for using this logic production websites.
How to Make OTP Logic Secure?
- OTP should be sent only if phone or email is valid.
- Limit Login – You should limit login attempts so that there is minimum chance to guess the OTP by trying again and again. Therefore, after limit attempts, you should reset/delete the OTP from the database.
- OTP Expire Time – After a limited time you should make OTP expire. Therefore, always store OTP generation time along with OTP
- OTP Clear – After successful login, you should clear or reset OTP from the database. So that it can only be used ONCE (That’s why called One Time Password).
Steps behind OTP Login:
- User will enter the phone number or email address to login
- if the phone number or email is not valid, send error
- If the phone number or email is valid, send OTP
- Store same OTP in the database along with OTP generation time, and OTP Attempt as 0
- User can enter given OTP to login
- If OTP is older than 5 minutes, clean OTP in the database, and show an error.
- If OTP Attempt in the database is higher than 3, clear OTP, and show an error.
- If OTP is wrong, Increment OTP Attempt in the database and show an error
- If OTP is correct, clear OTP in the database, and make login success
The algorithm behind OTP Login:
Step 1: Starts Step 2: Enter phone/email to receive OTP Step 3: if phone/email is not in database show invalid phone/email error Step 4: if phone/email is valid insert otp & otp_time in database send otp to phone/email show otp_sent success message Step 5: User enters otp to login Step 6: if attempts > 3 do reset otp show otp expires error else if attempts_generation_time older than 5 minutes do reset otp show otp expires error else if otp is not valid attempt = attempt + 1 show login error else if otp is valid reset otp show login success Step 7: Ends
For additional security, you can track overall attempts in last 60 minutes, and if it is more than 10, block the user (in cookie or database) for 24 hours and show an error.
|Exercises & Assignments|
|No Content Found.|
|Interview Questions & Answers|
|No Content Found.|