OTP (One-Time Password)

Content Type: Module
Categories: Utility,Authentication,Data

Overview

The OTP (One-Time Password) Module provides a secure, configurable, and ready-to-use solution for generating and verifying one-time passwords (OTPs) in Mendix applications. It enables developers to easily implement authentication and verification workflows — such as login validation, password reset, transaction confirmation, or sensitive action approval — using either SMS or Email channels.

This module is designed with strong security principles in mind. OTPs are generated using Java SecureRandom for cryptographic randomness and hashed using HMAC-SHA256 before storage, ensuring that raw codes are never persisted or exposed. Each OTP is linked with a unique salt and application secret key, protecting against replay and brute-force attacks.

The module includes flexible configuration through the OTP_Configuration entity, allowing administrators to control:

  • OTP expiry duration (in minutes)
  • Maximum retry attempts
  • Resend cooldown (in seconds)
  • Resend limits per hour and per day
  • Separate configurations per channel (SMS, Email) and usage type (Login, ResetPassword, etc.)

With built-in microflows like MF_RequestOTP and MF_VerifyOTP, developers can generate, deliver, and validate OTPs with minimal setup. Integration with any third-party SMS or Email provider is supported, making it easy to adapt the module to existing infrastructure.

Additional features include audit-friendly record keeping (OTP_Record), automatic invalidation of expired or used OTPs, and rate-limiting to prevent abuse. The design aligns with best practices for secure authentication and is fully extendable for multi-factor authentication (MFA) scenarios.

Use Cases:

  • User login verification (2FA / MFA)
  • Password reset confirmation
  • Transaction approval (financial, legal, or confidential operations)
  • Account activation or registration verification
  • Email or phone number validation flows

Highlights:

  • 🔒 Secure cryptographic design (HMAC + salt)
  • 📬 Multi-channel (SMS / Email)
  • 🧾 Fully auditable data model
  • ⚙️ Admin-configurable behavior
  • 🧱 Plug-and-play Mendix microflows
  • 🚫 Abuse prevention with cooldown and limits

With this module, developers can deliver OTP-based security in minutes — without compromising on reliability, scalability, or compliance.

Documentation

🧩 Installation

  1. Download and import the OTP (One-Time Password) Module into your Mendix project.
  2. Synchronize the database to create the necessary entities (OTP_RecordOTP_Configuration, etc.).

⚙️ Configuration

  1. Open the OTP_Configuration entity and define your settings for each Channel and Usage type:
    • ExpiryMinutes – Time before OTP expires
    • MaxAttempts – Number of allowed verification tries
    • ResendCooldownSeconds – Time between resends
    • MaxResendPerHour / Day – Rate limits for OTP requests
  2. Optionally, create an admin page for managing these values in runtime.
  3. The module uses ENUM_Usage (Login, ResetPassword, etc.) and ENUM_Channel (SMS, Email) to separate behaviors.

💻 Core Microflows

Microflow

Description

MF_RequestOTP

Generates a new OTP, validates cooldown and resend limits, stores hash + salt, and triggers sending (via SMS or Email connector).

MF_VerifyOTP

Validates the entered OTP using HMAC comparison and marks the record as used.

MF_GetActiveOtpConfig

Retrieves or creates the active configuration for a specific Channel + Usage.

(Optional) MF_CleanupOtpRecords

Deletes or archives expired and used OTP records; schedule it daily.

🔐 Security

  • OTPs are generated using SecureRandom and hashed with HMAC-SHA256 — no plain codes are stored.
  • Each OTP is single-use and auto-invalidated (IsUsed = true) upon success or expiry.
  • Rate-limiting and cooldown prevent abuse.
  • Sensitive data (hash, salt) is never exposed in pages.

🧠 Integration

You can integrate the module into your app by:

  1. Calling MF_RequestOTP when the user triggers verification (e.g., login, password reset).
  2. Sending the returned OTP code via your existing SMS or Email provider.
  3. Using MF_VerifyOTP to validate the entered code and control user access or action continuation.

🧾 Optional Enhancements

  • Schedule a daily cleanup of expired OTPs.
  • Add an Audit entity to log all OTP requests and verifications.
  • Customize messages, cooldowns, and validation behavior in the configuration entity.

This module is fully plug-and-play — import, configure, and connect your delivery channel to enable secure OTP verification in minutes.

 

 

 

 

 

Releases