Secure Device Access

Can anyone expand on how they are implementing what seems to be OTP(one time password) for device login (once a week, new otp required) using sms channel? I think this is very good, but I can’t seem to find the technical specs of the tech behind this feature.

1 Like

Thanks for the question @bzmrgonz - @Riku_OpenCRVS can you advise?

Thanks for the question @bzmrgonz ! I wasn’t yet able to find the original specification for the OTP feature, but this is roughly how it technically works:

  1. The user submits the correct username + password combination as part of the login.

  2. At this point, we generate a random sequence of characters (cryptographic nonce) and a 6-digit random sequence of numbers (SMS code). Both of these are stored temporarily into our in-memory database (Redis) with a creation timestamp and the id of the found user. The cryptographic nonce is returned to the client making the login request.

  3. The user is now sent an SMS message through a 3rd party service. We currently support Clickatell and Infobip. The provider can be configured as part of the deployment.

  4. When we receive an SMS code verification request with an SMS code and a cryptographic nonce, we search our in-memory database with that combination.

    1. If nothing is found, we return an error.
    2. If we find an item, we check the item was made less than ten minutes ago. If it’s older than that, we return an error. The validity period can be configured as part of the deployment.
    3. If the combination is still valid, we take the user id and create a JWT token, which is then returned to the client.

We ask for an OTP every time the user logs in. As you said, one user session can last a maximum of one week. The length of the session can also be configured as part of the deployment.

Let me know if you have any further questions!

2 Likes

this is beautifully outlined and explained. Thank you @Riku_OpenCRVS