Written by Nishikant WaghBusiness Analyst
One Time Password (OTP) authentication is one of the widely used authentication methods due to its reliability and authenticity. At Royal Cyber, we take security on top priority. This is why we upgrade our knowledge and capabilities to provide you with the best possible security in the market. commercetools does not provide OTP functionality out of the box, and hence, owing to our customers' needs and demands, we developed an accelerator for them.
Ensuring that the user data is highly secured wins the trust of the customers, thus helping the business grow. We use OTP authentication on multiple scenarios to provide maximum authenticity. With the help of our accelerator, you save a lot of your development time which helps faster project completion.
In the OTP-based login, when the user enters the mobile number and submits for authentication, we verify the mobile number at our end. We check whether the number is registered with commercetools and should be of a registered customer. Only then can we generate the token. After submitting the mobile number, the user receives an OTP that needs to be entered at the OTP submission page. After submitting the OTP, it is validated at our end, and after successful validation, we fetch the customer details based on the user’s mobile number. Once the record is found, commercetools returns a customer ID to which the mobile number is associated. Further, that customer ID is used to call the key manager in the database where the refresh token is stored.
The refresh token is unique for every customer, just like the customer ID. Once the refresh token is found in the external database, we call an API through an application URL to generate an access token for the user. This access token is similar to the login token with the same permissions to access the sections.
When you register using the username and password, commercetools generates a token called access token. That token holds the customer data and is not valid for any other user.
In a normal flow, commercetools validates the user credentials, and once the validation is successful, it generates an access token that will be valid for the next 48 hours. Every generated access token comes with permissions. Any other sections, apart from the permitted ones, cannot be accessed by the user. commercetools provides another parameter called the refresh token which is used when the user’s access token expires. In the scenario where the user logs in using the username and password, we use the refresh token as it is valid for six months since its last usage. We store the refresh token in an external DB for better security. As shown in the diagram, once registered, the refresh token is auto retrieved as soon as the user logs into commercetools.
To better understand the above flow, let us discuss our user journey while using OTP authentication. First, let us consider that the given user forgets the password required to log in. In this case
If the user has requested an OTP on the mobile number, the system runs two calls simultaneously
The journey of the user submitting the email ID instead of the mobile number to change the password is different as there is no OTP involved in this case. A link to update the password will be sent to the user’s email id, and further, the process is as per the ‘Password update flow’.
What if the user has clicked on the OTP-based log in when the OTP service or the commercetools API is not up? This is a rare scenario, but if in case it occurs, the user will not receive an OTP, and the screen will remain unchanged till the user receives the OTP and submits it in the form. However, the user can click on ‘Resend Now’ and enter the most recent OTP. If the registration service is down for a reason, the user will see a message on the screen which says, ‘Kindly try after some time’.
|Using OTP Accelerator||Traditional Development|
|Integration Time||1 to 2 days||8 to 10 days|
|Resources/Expertise||Developer with the knowledge to call APIs||Need a programming expert to code and implement the feature|
|Customization||Features can be added or removed based on the client's request||Fully customizable but needs extra efforts|
|Security||Highly secured as it comes with data encryption, no extra security is needed||More layers can be added as per requirement|
|Testing Efforts||Only integration testing is needed, and so, it saves more than 70% of time and effort||More time and effort are needed for unit testing and integration testing|
|Reusability Of Code||Can be reused as needed||It works only for the scenario for which it is programmed|
With Royal Cyber’s OTP accelerator, businesses using commercetools can save a lot of time on implementation. Business owners can focus entirely on business as the security of their store is taken care of. Royal Cyber has many such accelerators built especially for commercetools, to know more, contact us.