Improving Security with One-Time-Passwords

iPhone with Text Message DisplayWith an ever growing awareness of security online, and the dawning acceptance that passwords themselves are insecure, no matter how complex, web application developers are turning more towards using mobile technology to greatly improve registered user’s security and to also to check that someone actually exists when they sign up.

The technology behind One Time Passwords (OTP) is simple – for an existing user, a password can be replaced by a one-time password by storing the telephone number of a trusted device. At the point of login, the user provides their username, and a text message gets sent to the trusted device. At this point, the user will receive the code on their phone, and enter it on the site, which in turn gets checked, and if it matches up, the login is successful.

You may have noticed nowadays that companies such as Facebook and Microsoft are already using this technology, alongside many banks, where they use the traditional username and password alongside OTP. The combination of using both methods means that even if the user’s machine was infected with a virus or keylogger which steals information, or someone leaves their login details on a scrap of paper, their account is still safe.

This may all seem scarily complicated. The fact is that it isn’t, and that if you have an account with Textlocal, you already have access to a system which can handle one-time passwords using our new API.

For example, you can generate a password by simply making a request to the API – either by code or even in a browser.

This will generate a unique password, and fire it to the mobile number specified in the request.

The next thing you will need is something to make sure that the code is actually valid. This too can be done with a simple API call.

This will reply back with a success or failure message, depending on whether the code/mobile number combination matches. Also, if the code is over 24 hours old, or has previously been successfully validated, then it will also be rejected.

This is a really simple, but incredibly secure method of authentication, which even for the greenest of developers, is a quick and simple change to integrate into an existing product. The whole send and check process can be as little as 4 lines of code!