OTP Generator Algorithm

In recent days security becomes a vital issue and concern for all companies. Not going into the depths and other security issues, let’s talk about OTP today. As almost everyone knows OTP means one time password. The popular services like Outlook, Gmail uses that to verify users to authenticate into their system. That is called as two factor authentication. It can be optional or can be configured such a way that it will ask to verify by OTP only when user login using different devices.  

So as a software programmer we might have or would come across  to write code to implement system where we need to send OTP to the users. It can be for registration, login, authorize any kind of claim or for transaction if it is a financial software. When we would develop system we would need a algorithm to generate the OTP. And search engines will be hit with the following kind of questions by the programmers.  

  1. What is the standard length of OTP for mobile phones?
  2. What is the algorithm to generate a mobile phone OTP?
  3. What security measures are to be taken to generate OTP?
  4. Will I send same OTP if user resend?
  5. What will be the valid time for OTP?
  6. Does C# has it’s own mechanism to generate OTP?
  7. Should I store OTP in database?
  8. Should  I store OTP in session?
  9. Should  I store OTP in cookie?

And so on 

In different site different people will have different opinions. All of those could be right in one way or another.  

Here I am going show about some approach to generate OTP. It will be by using Asp.Net and using C# and some of these has used identity framework. Most of those will have some pros and cons. 

Approach 1: (Random number)

We can always create a random number and send that as OTP to be verified by the user. Here is the very simple algorithm.

This will give a random 6 digit number as OTP. But most people will not like the idea because it is very simple and can be hacked by using brute force or by other method. so lets see the next way of doing using kind of same type method.

Approach 2: (Complex random number)

This method will create an additional random number named otpShifter in range of 1 to 9. After generating random 6 digit number like above method it will shift the position of the number random times.

So it will be bit more secured.

Approach 3: (Using signinmanager)

We can get 6 digit OTP by  simply calling

it has default mechanism to generate OTP and assigned to user state. This is also good way of generating OTP value.

The Problems

Now all of the methods are generating one time password for us. We need to send that password to mobile number of the specific user. And when user provides the code back to the application, application also need remember the code to match against that specific user to authenticate to the application or authorize for some kind of claim or action. The question is where programmers are thinking to store the code to match when user comes back. is that in

  1. url? Do not even think about it. When people understands that the OTP value is in the url, they can grab that number and doge the application.
  2. cookie? Can be a choice.
  3. session? Can be a choice.
  4. database? Can be a choice.

But what if the cookie can be accessed or session is hijacked or even database is compromised? This can be by the hacker or could be a internal job. So that gives a headache about where to save the OTP.

Final Approach   

I would like to make sure if cookie, session or database is compromised, I do not have to put the users on risk regarding OTP. The method I basically like the combination of Approach 2 and approach 3. 

Lets not talk thoroughly about the design of the database. That could be another topics to write about. Say we will send a OTP partial of which will be at the application side and another will be at database side. So if one side is compromised OTP would not be hacked. Let me go by the code below

Modify the code from approach 2 a bit.

From the main method call the approach 3 method first that gives a 6 digit number. Say we get x = ‘629372’. Now send this number to GenerateOtpApproach2(x,999999). When returns, add that number with signinmanager generated number shown in  GenerateOtpApproach3 and send to the user. signinmanager will remember it’s generated value and save the value which was returned by the approach 2 method in the database. So when user come back we can check the number with the sum of signinmanager and database value to authenticate that service.

This way we can make sure that the security violation does not happen when using OTP in our application. Another obvious think is the design of the database for keeping the OTP. I will hope to discuss that in the next post.

Leave a Reply

Your email address will not be published. Required fields are marked *