User Guides
Home
Start typing to search…

One-Time Passcode (OTP)

Add One-Time Passcode Verification to your workflow to confirm that users really have access to the phone number or email they provide.

What is One-Time Passcode Verification?

Socure One-Time Passcode (OTP) Verification is a security feature that enables robust two-factor authentication by sending a unique, auto-generated code to a user via SMS, voice call, or email. This code is valid for a single session and is used to verify control of a communication channel or authenticate a user's identity within a workflow.

One-Time Passcode Verification can be:

  • A standalone check
  • A building block in an adaptive risk-based authentication policy
EnrichmentDescriptionRegion support
OTP (One-Time Passcode)Standard one-time passcode verificationGlobal

How it works

  • Generate passcode: RiskOS™ creates a one-time passcode tied to a session.
  • Deliver via channel: One-Time Passcode is sent via SMS, voice, or email.
  • User enters code: Your app collects the One-Time Passcode.
  • Verify request: RiskOS™ validates the submitted One-Time Passcode against the session.
  • Decision outcome: API returns approved/reject plus session metadata.

What you can do with One-Time Passcode Verification

  • Secure authentication: Add One-Time Passcode as a second factor to reduce account takeover risk.
  • Verify communication channels: Confirm control of phone numbers and email addresses.
  • Comply with regulations: Support KYC/AML requirements with step-up authentication.
  • Improve onboarding: Reduce friction while preventing fraudulent sign-ups.
  • Protect transactions: Use One-Time Passcode for high-risk actions such as money transfers or password resets.

Unique features

  • Flexible delivery channels: Send passcodes via SMS, voice, or email.
  • Customizable templates: Localize and brand SMS and email messages.
  • Configurable limits
    • 6-digit codes (default)
    • 10-minute expiration window
    • Up to 5 retry attempts
    • 10-minute cooldown after failures
  • Global reach: Support for international phone numbers in E.164 format.
  • Robust rate limiting
    • Up to 5 sends per minute per destination
    • Up to 10 verification attempts per minute per session
  • Decision outcomes — API responses include:
    • sessionId
    • attemptCount
    • status (pending, approved, reject)

Next steps

Configure RiskOS™ workflows

Set delivery rules, expiration settings, retry limits, and integrate OTP checks into your workflows.

Send & verify passcodes

Learn how to generate passcodes, deliver them via SMS, voice, or email, and verify user submissions.

Updated 6 days ago