User Guides
Home

Set up OTP

Learn how to set up Socure One-Time Passcode in the RiskOS™ Dashboard to add strong possession-based authentication to your workflows.

Before you start

Make sure you have the following:

Access to the RiskOS™ Dashboard with the One-Time Passcode (OTP) enabled.

  • Your account owner or administrator can enable this for you. If you're unsure who to contact, reach out to support for assistance.

A basic understanding of RiskOS™ workflows and components.

  • If this is your first time working with workflows, review the Workflow overview to understand inputs, enrichments, routing logic, and decisions.


How it works

Socure OTP is an enrichment available in RiskOS™. It generates a one-time passcode, delivers it via SMS, voice, or email, and validates the user’s input against the generated code. The module then returns a decision (ACCEPT, REJECT, or REVIEW) to drive workflow routing.

📘

Note:

ACCEPT, REVIEW, and REJECT are the default decision values. Customers can customize the response to added or to delete default values based on specific workflow needs.


Choose your configuration

Select a simple single-channel OTP setup or a more advanced configuration with multiple delivery options and fallback logic.

Single Channel Setup with SMS, Email, or Voice

Ideal for simple OTP delivery using one primary method. Choose a single channel and configure straightforward verification logic.

Best for:

  • Simple authentication flows
  • Single contact method verification
  • Quick implementation

Channels: SMS, Email, or Voice

Advanced setup with two channels

Enables fallback options across multiple delivery channels. Improves success rates by offering an alternative method when the primary channel fails.

Best for:

  • Enhanced user experience
  • Higher delivery success rates
  • Mission-critical authentication

Channels: SMS + Email fallback


Channel setup

You can configure OTP delivery using a single channel to send the code through one primary method without any fallback logic.

The sample workflow below demonstrates how to support a single delivery channel.


Step 1 - Add OTP Verification enrichment step to a workflow

  1. In the RiskOS™ Dashboard, go to Workflows and create a new workflow or open an existing one.
  2. On the Workflow Canvas, click the plus (+) icon and add an OTP Verification step.

  1. In the Configuration panel on the right, set up the OTP Verification step:
  • Select Channel: Choose how to deliver the code:
    • SMS: Send the code via SMS text message to a consumer's phone number.
    • Email: Send the code to the consumer's email address.
    • Voice: Deliver the code through an automated phone call.
📘

Note:

  • Phone numbers must be in E.164 format.
  • Email addresses must be in RFC 5322 format.
  • Define Waiting Status and Queue: Configure how the workflow waits for verification (the entity stays in this state until the OTP is verified or times out):
    • Status: Controls whether the workflow pauses (On Hold, recommended) or continues (Open).
    • Sub-status: Optional, adds a more specific tracking state.
    • Queue: Determines where the entity is routed while waiting.
  • Define Output Field: Enter the field name where the OTP result will be stored. You can reference this field later in the workflow or in your API response.

Step 2 - Add a Condition step

On the Workflow Canvas, click the plus (+) icon and add a Condition step. In the Configuration panel, create corresponding outcomes for both true and false cases.

Example status values used for One-Time Passcode condition logic

StatusDescription
PendingOTP sent but not yet verified (still within 10-minute expiration).
ApprovedOTP successfully verified.
RejectOTP exceeded 5 attempts or expired (after 10 minutes).

For more information on configuring conditions, see Create and Edit a Workflow.


Step 3 - Add Decision steps

On the Workflow Canvas, click the plus (+) icon and add a Decision steps to your True and False conditions to route the decision accordingly:

DecisionDescription
ACCEPTOTP was successfully verified. The consumer is authenticated and can continue.
REJECTOTP verification failed (expired, exceeded attempts, or invalid). The consumer cannot proceed.

Step 4 - Save and publish

Once your workflow is configured, publish it to go live.


Workflow testing checklist

Use this checklist to confirm accuracy, resilience, and completeness before going live.

Phone number:

Phone numbers are valid E.164 values

Email:

Email addresses follow RFC 5322 format and are deliverable
OTP logic:

Codes are generated in sub-second time
Retry limits are enforced
Expiration windows are enforced
Cooldown behavior is applied after failures
Escalation and fallback:

Alternate delivery channels are available
Manual review or secondary verification paths are defined

Updated about 1 month ago