OTP Sign In Accelerator for commercetools

Written by Nishikant Wagh

Business Analyst

One Time Password (OTP) authentication is one of the widely used authentication methods due to its reliability and authenticity. At Royal Cyber, we take security on top priority. This is why we upgrade our knowledge and capabilities to provide you with the best possible security in the market. commercetools does not provide OTP functionality out of the box, and hence, owing to our customers' needs and demands, we developed an accelerator for them.

OTP Sign In Accelerator and Why it is Required for Your Business

Ensuring that the user data is highly secured wins the trust of the customers, thus helping the business grow. We use OTP authentication on multiple scenarios to provide maximum authenticity. With the help of our accelerator, you save a lot of your development time which helps faster project completion.

How Does It Work?

OTP Login Flow

In the OTP-based login, when the user enters the mobile number and submits for authentication, we verify the mobile number at our end. We check whether the number is registered with commercetools and should be of a registered customer. Only then can we generate the token. After submitting the mobile number, the user receives an OTP that needs to be entered at the OTP submission page. After submitting the OTP, it is validated at our end, and after successful validation, we fetch the customer details based on the user’s mobile number. Once the record is found, commercetools returns a customer ID to which the mobile number is associated. Further, that customer ID is used to call the key manager in the database where the refresh token is stored.

The refresh token is unique for every customer, just like the customer ID. Once the refresh token is found in the external database, we call an API through an application URL to generate an access token for the user. This access token is similar to the login token with the same permissions to access the sections.

commercetools Login and Registration Flow (token handling mechanism to ensure it is more secure)

When you register using the username and password, commercetools generates a token called access token. That token holds the customer data and is not valid for any other user.

In a normal flow, commercetools validates the user credentials, and once the validation is successful, it generates an access token that will be valid for the next 48 hours. Every generated access token comes with permissions. Any other sections, apart from the permitted ones, cannot be accessed by the user. commercetools provides another parameter called the refresh token which is used when the user’s access token expires. In the scenario where the user logs in using the username and password, we use the refresh token as it is valid for six months since its last usage. We store the refresh token in an external DB for better security. As shown in the diagram, once registered, the refresh token is auto retrieved as soon as the user logs into commercetools.

To better understand the above flow, let us discuss our user journey while using OTP authentication. First, let us consider that the given user forgets the password required to log in. In this case

  • The user is expected to click on the forgot password link
  • When the user clicks on the link, he will be asked to enter the mobile number or email ID in the user id field
  • After entering the details, the user must click on the ‘Send OTP’ button

If the user has requested an OTP on the mobile number, the system runs two calls simultaneously

  • The first is the OTP call, which sends the OTP to the given mobile number
  • The second call is made to commercetools to check if the user is registered
  • The user then receives an OTP on the given mobile number, and an OTP screen appears where the user needs to submit the OTP
  • If the user has not received the OTP, then he can click on the ‘Resend Now’ button to get a new OTP
  • Later, the user must submit OTP and hit the ‘Verify’ button to proceed to the password update screen
  • The submitted OTP should be valid as per the OTP validation criteria, else, the ‘Verify’ button will not be activated

The journey of the user submitting the email ID instead of the mobile number to change the password is different as there is no OTP involved in this case. A link to update the password will be sent to the user’s email id, and further, the process is as per the ‘Password update flow’.

What if the user has clicked on the OTP-based log in when the OTP service or the commercetools API is not up? This is a rare scenario, but if in case it occurs, the user will not receive an OTP, and the screen will remain unchanged till the user receives the OTP and submits it in the form. However, the user can click on ‘Resend Now’ and enter the most recent OTP. If the registration service is down for a reason, the user will see a message on the screen which says, ‘Kindly try after some time’.

How is Our Accelerator Better Than Traditional Development?

Using OTP Accelerator Traditional Development
Integration Time 1 to 2 days 8 to 10 days
Resources/Expertise Developer with the knowledge to call APIs Need a programming expert to code and implement the feature
Customization Features can be added or removed based on the client's request Fully customizable but needs extra efforts
Security Highly secured as it comes with data encryption, no extra security is needed More layers can be added as per requirement
Testing Efforts Only integration testing is needed, and so, it saves more than 70% of time and effort More time and effort are needed for unit testing and integration testing
Reusability Of Code Can be reused as needed It works only for the scenario for which it is programmed

Business Benefits and Impact Of OTP Implementation

  • Resistance to replay attacks: OTP authentication provides distinct advantages over using static passwords alone. Unlike regular password techniques, OTPs aren’t vulnerable to replay attacks - where a hacker intercepts a transmission of data (like a user submitting their password), records it, and uses it to gain access to the system or account. When a user gains access to their account using an OTP, the code becomes invalid, and therefore, it can’t be repurposed by attackers.
  • Difficult to guess: OTPs are often generated with algorithms that make use of randomness, making it difficult for attackers to guess and use it successfully. OTPs may be valid only for a short period of time, require the user to know a previous OTP, or provide the user with a challenge (e.g., ‘Please enter the second and fifth number’). All of these measures further reduces the risk of attack when compared to password-only authentication.
  • Reduced risk when passwords are compromised: Users that don’t adopt strong security practices tend to recycle the same credentials across different accounts. If these credentials are leaked or otherwise fall into the wrong hands, then stolen data and fraud are significant threats to the user on every front. OTP security helps to prevent access breaches, even if an attacker has obtained a valid set of login credentials.
  • Easy adoption: For organizations, it is easy to integrate the one-time passcodes into their authentication strategies. The cryptic nature of these codes makes it difficult for people to memorize them.

Secure Your commercetools App With Royal Cyber’s OTP Sign In Accelerator

With Royal Cyber’s OTP accelerator, businesses using commercetools can save a lot of time on implementation. Business owners can focus entirely on business as the security of their store is taken care of. Royal Cyber has many such accelerators built especially for commercetools, to know more, contact us.

Leave a Reply