One time passwords
Author Image

By: Aivis Olsteins

In News

2018-02-28

Usecase: One time password generator for application security

Username and password is no longer secure. Enter two-factor authentication.

Recently we had a change to show advantages of our Javascript based telephony engine by implementing SMS based one time password generation system to secure a mobile app. The operator wanted to verify the user by its phone number, i. e. send a short 6-digit passcode which user would enter in the app or website to verify their identity. The concept, known as 2 factor authentication, is not new, but provides much higher level of security compared to traditional username and password systems. Many online banking systems widely use it nowadays, however, ready made, out of the box solutions are rare. Partially that is due to the fact that technical details vary from case to case, API details, localization, etc.

We saw a great opportunity here to try out or script engine. And while it was originally developed for IVR and Voice, it was not difficult to add more functions to since the platform it runs on, SAARA, already supports Voice and SMS. The steps how the process would work was following:

  • Use RESTful API to receive request from application. The request would contain a phone number which needs to receive an OTP, and optionally a locale to use.
  • Generate a random, 6 digit code, and reply it back via same API call.
  • Create a message, respecting locale, and include the generated code.
  • Send an SMS, by means of external carrier

Technically, these were the main additions we made:

1. The ability to receive and parse API requests. In this case, our API received a JSON representing a request to generate a passcode:

{
"number": "12125551212",
"language": "en"
}

2. A random number generator. Standard Javascript is perfect here, and following peace of code generates a string of 6 randomly generated digits from 0 to 9. We had to introduce some string functions we didn't have before:

var passcode = ''; 
i = 0;
while(i < 6) {
passcode += Math.floor(Math.random() * 9);
i = i+1;
}

3. And finally, sending result by SMS:

sendSms({
to: dest_number,
from: source_number
text : "Your application code is: " + passcode,
});

I omitted language localization part, however, the above should give an idea how Script based Telehony engine can be used not only for IVR, but also text messaging.

Leave a comment
About Author
Author Image
My name is Aivis Olsteins and I am owner of DataTechLabs. My experience in Telecoms started in early 1990's and I have worked in multiple technical positions in mobile, messaging and data networks. My expertise lies in telecom networks, database systems, distributed processing and large data analysis. These posts are my attempt to share my knowledge with everyone who might find it useful.

Get in Touch

If you have something to say, please use the contact form below to get in touch with us. We will get back to you as soon as possible.

Mail Us

DataTechLabs SIA, Muzikas str 12A
Jurmala, LV-2008, Latvia.

Call Us

+371 67 66 09 01
+ 1 202 499 1550

E-mail Us

info@datatechlabs.com
support@datatechlabs.com