Integration guide for OTP SMS. How is the OTP SMS verification process?

In a previous post we talked about what is an SMS verification system and what are the advantages of sending OTP codes via SMS. In this post, we will describe how to integrate OTPs and we will give recommendations for a good OTP integration with the LabsMobile platform. 

First of all, we would like to comment that the validation or verification process can be applied to a ton of software environments like apps, social networks, web platforms, economic transactions, etc. And we would also like to add that, in the next documento, you will find a series of recommendations about good practices when validating OTP codes via SMS.

Common uses for validation via SMS

In the last few years, the most common uses for validating SMS have been: 

• Verifying a user’s phone 
• Identifying access (login) details or private actions (2FA processes).
• Identifying or associating a phone’s user.
• No duplicity or multiplicity of user accounts

For these types of processes of validation, LabsMobile has two different solutions you can use: API JSON and the OTP API LabsMobile.

The API JSON

The API JSON is a generalist API SMS with which you can send SMS messages with calls REST of the type POST and codified variables in the body of the HTTP in JSON format.

The main features are sending SMS and consulting their state. Other advantages of this type of API is that it’s compatible with any coding environment, that there are many examples of code, support, and online resources, and it lets you control the whole process and configuration by the clients. On the other hand, with the JSON API, you can take a look at any sent messages and make informed decisions.

This API is easy to use and similar to other SMS platforms, so it’s easy to change the platform according to your commercial interests.

On the negative side, you’ll have to build the whole validation process by storing a database using generated OTP codes.

Here you can find some resources and code examples to implement it:

• Docs: https://apidocs.labsmobile.com/
• Tutorial: https://www.labsmobile.com/en/tutorials/integrate-your-application-with-our-api

LabsMobile’s OTP API

LabaMobile has created a specific API to create and manage OTP codes for these validation processes. Their functions are to send, resend, and validate codes.

The main advantage of this OTP API is security. With this, security is augmented as in the process the OTP code is hidden inside the LabsMobile platform. Besides, the process is simplified without having to generate or save OTP codes using the platform. And it’s compatible with any coding environment that can generate REST HTTP/GET calls.

On the negative side, this API has non-standard functions that require people to adapt and learn more about how to use the system. Plus, it’s not possible to change or modify certain details of the process, such as the OTP code format or the status of delivery of the sent messages.

Here are some resources of the LabsMobile API:

• Manual and use cases: https://www.labsmobile.com/en/api-sms/api-versions/otp

Security and authentication in a validation process with OTP SMS

The first step for integrating a validation process using a JSON API or an OTP API with LabsMobile is to create a user in the platform. This process requires an email. Afterward, you’ll need to take some security measures: 

• Token API
• SSL certificate
• Filter by IP address
• API connection

The first security measure is to use as a password an API token. This can be generated in the control panel of your LabsMobile account, in the upper right corner at the section My account- Security and passwords.

The second measure is the SSL certificate. At this point, it is important to always use the API’s URLs using the HTTPS protocol for codifying data and variables you sent.

When it comes to filtering by IP address at the Preferences section created in the LabsMobile platform, you can configure one or many IP addresses valid to send the calls to the SMS API. But keep in mind that, after you configure this filter via IP address, it won’t be possible to send anything else from any other origin that is not listed there.

Lastly, we need to mention the API connection. These are calls or petitions to the JSON or OTP API of LabsMobile that should always be carried out from the backend or data server. This will never happen from the user interface (web or app). This happens so no sensitive data is compromised like passwords and to be able to centralize petitions to control and manage the processes better.

To send an OTP code for its future validation you need to send the petition from the user interface to the backend using some technological method like AJAX, HTTP/POST, socket, etc. 

Later, the backend has to manage the petitions from the LabsMobile API and control the validation process. 

How is the user interface from an API? Recommendations from users

Some of the recommendations for using the interface when it comes to an OTP validation process are:

Ease of use, clarity, and simplicity so users introduce their phone number. There should be only one field in the user interface. You should delete any other field, option, or action to concentrate the user’s attention in the validation process.  

Besides, in this field people should only be able to introduce digits and NOT other symbols. Plus, they need to add their country code with a selector (you can also add flags, for example).

Validating the introduced phone number is also a good idea. In the case of a wrong number or a non-valid format, let people know with an                 error message. In this way, the user can modify their phone number.

Here are some libraries:

• Phone and country mobile fields: https://intl-tel-input.com
• Validating the country mobile format: https://github.com/google/libphonenumber
• The instructions and help the user is to receive has to be clear so they feel guided in the validation process.

Examples of texts for validation:

• Introduction screen in the phone: “Type your phone number and receive a code via SMS”.
• Error in the number format: “The phone does not correspond with a valid phone number for (country). Please check and modify the phone number and country chosen.”
• Once the user wrote a valid phone number and the OTP SMS has been sent: “Look in your SMS inbox. We have sent an SMS code to your phone number. Introduce in the following field the 4-digit code you got. IMPORTANT: check you have GSM/call coverage to receive SMS messages.”
• After some seconds (3-6) you can add a waiting message: “It’s been 6 seconds since the last try. In 24 seconds you can resend a new code.”  
• Message as alternative communication when all the tries have run out.“You have run out of available tries. Please get in touch with us at support@labsmobile.com or +34938132933.”

Other elements to consider when validating via OTP

In an OTP SMS validation process some basic elements need to comply with certain requirements like the ones that follow:

1 The OTP Code

The OTP code is a crucial element of the process and is recommended to follow these features:

• Numeral code (only digits).
• Between 4-6 digits long. 
• Keep the same code for the same user and validation process. So, any message sent to a phone number (including all the tries) needs to have the same OTP codes.
  

2 The body of the message

The SMS text message sent in an OTP validation (on every try) should respect the following aspects:

• – he text of the message should be as short and concise as possible.
• The code should be placed at the beginning of the message. If possible, among the first 3 words. In this way, people can easily recognize the code even when using the preview.
• The sender should identify itself at least in the text of the message.
• You should let the receiver know about how many tries they have done so far. For example:

<#> 3823 is your validation code for the Kiwoko app

The code 3823 validates your access in labsmobile.com asked on 2020-11-01 10:33 GMT+2

PayPal: code 381223 to validate your last transaction. 

This code will expire in 10 minutes.

OTP SMS Integration Guide

Policy of Intents

Lastly, it’s important to highlight that, at LabsMobile, we recommend that if the first OTP code sent doesn’t arrive, it’s advisable to establish a policy of finite intents with some details: 

• Establish a minimum waiting time between intents. That is, the option of sending a new code cannot be available until after 20 and 40 seconds. It’s recommended to show the user the number of seconds left before the next try is available.
• The maximum number of tryings should be between 1-3 messages.
• Once you’ve reached the maximum number of tryings it’s advisable to give users an alternative method of communication like email or support phone. 
• How to know the state of an SMS sent to a user: 

1. Sent: message without the final state, processed and communicated to the local operator. The waiting time before the next trial can be bigger as there can exist some congestion episodes.
2. Delivered: the message has been confirmed (arrived at the destination device). Establish a limit of 1-2 tries showing a message to the user for them to reload their devices and check their coverage and configuration.
3. Rejectable /Non-delivery: error in delivery usually because the number is incorrect. It forces the user to change their phone number.

Integration guide for OTP SMS. How is the OTP SMS verification process?

Establish the validity for each OTP code generated between 10-30 minutes. After this interval of time, the OTP code will not be valid and the user will have to start the process again.