One-Time Passcode (OTP) Step

The OTP (One-Time Passcode) step securely verifies a user’s identity by sending and validating one-time codes via SMS, voice call, or email. This step is often used in adaptive authentication flows to confirm control of a communication channel and reduce account takeover risk. The OTP step is asynchronous and pauses the workflow until it is resumed with an OTP value.

What is a one-time passcode?

A one-time passcode is a unique, system-generated code valid for a single session. It is sent to a user’s phone number or email address, and the user must submit it back to the system for verification. This ensures that the user controls the communication channel being verified.

How it works in RiskOS

1. Add the OTP step to your workflow and select the delivery channel (SMS, Email, or Voice).
2. Configure the status, sub-status, and queue to control how paused cases are tracked.
3. When the workflow reaches the OTP step:
   • RiskOS sends the OTP via the selected channel.
   • The evaluation pauses until the OTP is provided via an API PATCH call (see API docs for details).
4. The user provides the OTP through your application.
5. RiskOS verifies the OTP received via the PATCH call and updates the evaluation outcome.

📘

Note: OTP is currently not supported for KYB and UBO verification.

Supported channels

• Email: OTP sent to the user’s email address provided in data.individual.email.
• SMS: OTP sent via text message to the phone number provided in data.individual.phone_number.
• Voice (Phone Call): OTP delivered through an automated voice call to the phone number provided in data.individual.phone_number.

See also: OTP Verification