Use One-Time Passwords (OTP) in Two-Factor Authentication (2FA) to ensure a user is who they claim to be when they login or perform transactions.Categories: Enterprise Communications
Accessing accounts and performing transactions requires strong user authentication. In the context of customers, it is strong customer authentication (SCA) that is required and often mandated. One-Time Passwords (OTP), along with Two-Factor Authentication (2FA), provide a means to verify that a person is who they claim to be.
OTP Use Cases:
- User login as part of 2FA
- Transaction authentication
- Customer onboarding - verify mobile number and/or email address
Ways to use One-Time Password
The Melrose Labs One-Time Password service provides the means to process One-Time Passwords using one of two ways. OTPs are generated by the service and sent to users, or generated by an application on the user's device (e.g. Google Authenticator).
Sending OTPs to Users
Sending One-Time Passwords to users can be done with a REST call to our OTP API, and delivered via SMS text message, voice call or email.
When using the Melrose Labs One-Time Password service, we don't let you know the actual One-Time Password that has been sent to your user, therefore preventing potential leakage of this critical information at the source.
OTP and Google Authenticator
Users can quickly be enrolled with the One-Time Password service and use the Google Authenticator mobile app on their mobile to generate OTPs. The user provides the OTP that was generated on their mobile and the service then verifies this.
Use of this method may be preferable in some scenarios.
Integrate with the One-Time Password service
Integrate OTP into your application using our OTP API. For simple integration, use one OTP API call to send an OTP to a user and another API call to verify what the user provided.
Sending OTP codes and verifying code from user
To send an OTP, you specify the message content and the recipient. You can also specify the complexity of the OTP (e.g. length, digits-only, letters-only or letters and digits) and its expiry. Delivery of the OTP will take place in a few seconds when using SMS text.
Verify code from user when using Google Authenticator
Make a call to the OTP service API and provide the code from the user and the user's OTP service user ID.
- Part of strong customer authentication
- Simple OTP service API
- OTP delivery to device or device generated OTP (TOTP)
- OTP delivered via SMS, voice or email