In a previous post we talked about what is an SMS verification system and what are the advantages of sending OTP codes via SMS. In this post, we will describe how to integrate OTPs and we will give recommendations for a good OTP integration with the LabsMobile platform.
First of all, we would like to comment that the validation or verification process can be applied to a ton of software environments like apps, social networks, web platforms, economic transactions, etc. And we would also like to add that, in the next documento, you will find a series of recommendations about good practices when validating OTP codes via SMS.
In the last few years, the most common uses for validating SMS have been:
For these types of processes of validation, LabsMobile has two different solutions you can use: API JSON and the OTP API LabsMobile.
The API JSON is a generalist API SMS with which you can send SMS messages with calls REST of the type POST and codified variables in the body of the HTTP in JSON format.
The main features are sending SMS and consulting their state. Other advantages of this type of API is that it’s compatible with any coding environment, that there are many examples of code, support, and online resources, and it lets you control the whole process and configuration by the clients. On the other hand, with the JSON API, you can take a look at any sent messages and make informed decisions.
This API is easy to use and similar to other SMS platforms, so it’s easy to change the platform according to your commercial interests.
On the negative side, you’ll have to build the whole validation process by storing a database using generated OTP codes.
Here you can find some resources and code examples to implement it:
LabaMobile has created a specific API to create and manage OTP codes for these validation processes. Their functions are to send, resend, and validate codes.
The main advantage of this OTP API is security. With this, security is augmented as in the process the OTP code is hidden inside the LabsMobile platform. Besides, the process is simplified without having to generate or save OTP codes using the platform. And it’s compatible with any coding environment that can generate REST HTTP/GET calls.
On the negative side, this API has non-standard functions that require people to adapt and learn more about how to use the system. Plus, it’s not possible to change or modify certain details of the process, such as the OTP code format or the status of delivery of the sent messages.
Here are some resources of the LabsMobile API:
The first step for integrating a validation process using a JSON API or an OTP API with LabsMobile is to create a user in the platform. This process requires an email. Afterward, you’ll need to take some security measures:
The first security measure is to use as a password an API token. This can be generated in the control panel of your LabsMobile account, in the upper right corner at the section My account- Security and passwords.
The second measure is the SSL certificate. At this point, it is important to always use the API’s URLs using the HTTPS protocol for codifying data and variables you sent.
When it comes to filtering by IP address at the Preferences section created in the LabsMobile platform, you can configure one or many IP addresses valid to send the calls to the SMS API. But keep in mind that, after you configure this filter via IP address, it won’t be possible to send anything else from any other origin that is not listed there.
Lastly, we need to mention the API connection. These are calls or petitions to the JSON or OTP API of LabsMobile that should always be carried out from the backend or data server. This will never happen from the user interface (web or app). This happens so no sensitive data is compromised like passwords and to be able to centralize petitions to control and manage the processes better.
To send an OTP code for its future validation you need to send the petition from the user interface to the backend using some technological method like AJAX, HTTP/POST, socket, etc.
Later, the backend has to manage the petitions from the LabsMobile API and control the validation process.
Some of the recommendations for using the interface when it comes to an OTP validation process are:
Ease of use, clarity, and simplicity so users introduce their phone number. There should be only one field in the user interface. You should delete any other field, option, or action to concentrate the user’s attention in the validation process.
Besides, in this field people should only be able to introduce digits and NOT other symbols. Plus, they need to add their country code with a selector (you can also add flags, for example).
Validating the introduced phone number is also a good idea. In the case of a wrong number or a non-valid format, let people know with an error message. In this way, the user can modify their phone number.
Here are some libraries:
– Introduction screen in the phone: “Type your phone number and receive a code via SMS”.
– Error in the number format: “The phone does not correspond with a valid phone number for (country). Please check and modify the phone number and country chosen.”
– Once the user wrote a valid phone number and the OTP SMS has been sent: “Look in your SMS inbox. We have sent an SMS code to your phone number. Introduce in the following field the 4-digit code you got. IMPORTANT: check you have GSM/call coverage to receive SMS messages.”
– After some seconds (3-6) you can add a waiting message: “It’s been 6 seconds since the last try. In 24 seconds you can resend a new code.”
-Message as alternative communication when all the tries have run out.“You have run out of available tries. Please get in touch with us at firstname.lastname@example.org or +34938132933.”
In an OTP SMS validation process some basic elements need to comply with certain requirements like the ones that follow:
The OTP code is a crucial element of the process and is recommended to follow these features:
– Numeral code (only digits).
– Between 4-6 digits long.
– Keep the same code for the same user and validation process. So, any message sent to a phone number (including all the tries) needs to have the same OTP codes.
The SMS text message sent in an OTP validation (on every try) should respect the following aspects:
– The text of the message should be as short and concise as possible.
-The code should be placed at the beginning of the message. If possible, among the first 3 words. In this way, people can easily recognize the code even when using the preview.
– The sender should identify itself at least in the text of the message.
– You should let the receiver know about how many tries they have done so far. For example:
PayPal: code 381223 to validate your last transaction.
This code will expire in 10 minutes.
Lastly, it’s important to highlight that, at LabsMobile, we recommend that if the first OTP code sent doesn’t arrive, it’s advisable to establish a policy of finite intents with some details:
Establish the validity for each OTP code generated between 10-30 minutes. After this interval of time, the OTP code will not be valid and the user will have to start the process again.