OTP (One-time Password)
As an added security feature, the Checkin.com Framework has support for a One-Time Password service (OTP). The solution uses a combination of smart risk based code generation and flash SMS to verify users.
As the last step of the registration process, a Flash SMS will be sent to the user with a short code. The Checkin.com Framework validates and makes sure the entered password is the correct one.
How to enable OTP
For details on how to enable the OTP service, see the settings section.
Validating the SMS Sendout (Optional)
As an extra security measure, partner side validations can be performed in order to verify that an SMS has been sent and signed by the Checkin.com Framework.
Validating a sendout can be done using an API endpoint or by decrypting the JWT token provided in the regilyDoneCallback .
Validation is optional
Running the Checkin.com OTP service does not require validation of the JWT. It is only recommended as an additional security measure
Back-end JWT token validation
One way to validate the sendout is by using the Checkin.com signed JWT token in the regilyDoneCallback
. The token can be found in the callback field called user.phoneVerificationToken
.
The token is signed and needs to be decrypted with the Checkin.com Public verification token.
This is the content of a JWT token:
// Token contents
{
"phone": "+46701234567", //phone number in the `E164` format (String with + in front)
Example on JWT token:
"exp": 1558098829, //5 min expiration used by the JWT validation
"iss": "regily"
}
// Algorithm
{
"alg": "ES512",
"typ": "JWT"
}
Back-end validation using the Checkin.com API
You can also validate your token by sending a request to the Checkin.com API.
The regilyDoneCallback
contains a property called user.phoneVerificationId
which can be used with a GET request towards auth.regily.com/phoneotp/<phoneVerificationId>
.
// From RegilyDoneCallbackData
const verification_id = data.user.phoneVerificationId
//Send a GET to regily servers
fetch(`https://auth.regily.com/phoneotp/${verification_id}`)
.then(function (response) {
const body = response.body
//Check status
if (body.isValid) {
// perform save, complete registration
}
})
Do you want to use our OTP service?
Send an email to [email protected] and we will enable it for you.
Updated about 2 years ago