OTP (One-Time Password)

Content Type: Module
Categories: Utility,Authentication,Data

Overview

The OTP (One-Time Password) Module provides a secure, configurable, and ready-to-use solution for generating and verifying one-time passwords (OTPs) in Mendix applications. It enables developers to easily implement authentication and verification workflows — such as login validation, password reset, transaction confirmation, or sensitive action approval — using either SMS or Email channels.

This module is designed with strong security principles in mind. OTPs are generated using Java SecureRandom for cryptographic randomness and hashed using HMAC-SHA256 before storage, ensuring that raw codes are never persisted or exposed. Each OTP is linked with a unique salt and application secret key, protecting against replay and brute-force attacks.

The module includes flexible configuration through the OTP_Configuration entity, allowing administrators to control:

  • OTP expiry duration (in minutes)
  • Maximum retry attempts
  • Resend cooldown (in seconds)
  • Resend limits per hour and per day
  • Separate configurations per channel (SMS, Email) and usage type (Login, ResetPassword, etc.)

With built-in microflows like MF_RequestOTP and MF_VerifyOTP, developers can generate, deliver, and validate OTPs with minimal setup. Integration with any third-party SMS or Email provider is supported, making it easy to adapt the module to existing infrastructure.

Additional features include audit-friendly record keeping (OTP_Record), automatic invalidation of expired or used OTPs, and rate-limiting to prevent abuse. The design aligns with best practices for secure authentication and is fully extendable for multi-factor authentication (MFA) scenarios.

Use Cases:

  • User login verification (2FA / MFA)
  • Password reset confirmation
  • Transaction approval (financial, legal, or confidential operations)
  • Account activation or registration verification
  • Email or phone number validation flows

Highlights:

  • 🔒 Secure cryptographic design (HMAC + salt)
  • 📬 Multi-channel (SMS / Email)
  • 🧾 Fully auditable data model
  • ⚙️ Admin-configurable behavior
  • 🧱 Plug-and-play Mendix microflows
  • 🚫 Abuse prevention with cooldown and limits

With this module, developers can deliver OTP-based security in minutes — without compromising on reliability, scalability, or compliance.

Documentation

🧩 Installation

  1. Download and import the OTP (One-Time Password) Module into your Mendix project.
  2. Synchronize the database to create the necessary entities (OTP_RecordOTP_Configuration, etc.).

⚙️ Configuration

  1. Open the OTP_Configuration entity and define your settings for each Channel and Usage type:
    • ExpiryMinutes – Time before OTP expires
    • MaxAttempts – Number of allowed verification tries
    • ResendCooldownSeconds – Time between resends
    • MaxResendPerHour / Day – Rate limits for OTP requests
  2. Optionally, create an admin page for managing these values in runtime.
  3. The module uses ENUM_Usage (Login, ResetPassword, etc.) and ENUM_Channel (SMS, Email) to separate behaviors.

💻 Core Microflows

Microflow

Description

MF_RequestOTP

Generates a new OTP, validates cooldown and resend limits, stores hash + salt, and triggers sending (via SMS or Email connector).

MF_VerifyOTP

Validates the entered OTP using HMAC comparison and marks the record as used.

MF_GetActiveOtpConfig

Retrieves or creates the active configuration for a specific Channel + Usage.

(Optional) MF_CleanupOtpRecords

Deletes or archives expired and used OTP records; schedule it daily.

🔐 Security

  • OTPs are generated using SecureRandom and hashed with HMAC-SHA256 — no plain codes are stored.
  • Each OTP is single-use and auto-invalidated (IsUsed = true) upon success or expiry.
  • Rate-limiting and cooldown prevent abuse.
  • Sensitive data (hash, salt) is never exposed in pages.

🧠 Integration

You can integrate the module into your app by:

  1. Calling MF_RequestOTP when the user triggers verification (e.g., login, password reset).
  2. Sending the returned OTP code via your existing SMS or Email provider.
  3. Using MF_VerifyOTP to validate the entered code and control user access or action continuation.

🧾 Optional Enhancements

  • Schedule a daily cleanup of expired OTPs.
  • Add an Audit entity to log all OTP requests and verifications.
  • Customize messages, cooldowns, and validation behavior in the configuration entity.

This module is fully plug-and-play — import, configure, and connect your delivery channel to enable secure OTP verification in minutes.

 

 

 

 

 

Releases

Version: 1.0.1
Framework Version: 10.24.9
Release Notes:

This update refines the OTP (One-Time Password) Module for improved performance, flexibility, and user experience.

Version 1.0.1 replaces the previous Timer widget logic with a more efficient and maintainable Event widget–based implementation, ensuring better UI responsiveness and reduced client-side overhead.

What’s New

  • 🧩 Added: Event-based widget behavior to handle OTP resend cooldown and UI updates dynamically.
  • 🔄 Improved: Page logic for resend countdown, now fully event-driven instead of relying on the Nanoflow Timer.
  • 🧠 Enhanced: User interface interactions — faster feedback when requesting or verifying OTPs.
  • ⚙️ Optimized: Microflows and expressions related to resend and cooldown checks for cleaner logic and easier maintenance.
  • 🧱 Stability: General refinements to improve reliability across both SMS and Email channels.

Removed

  • ⏱️ The old Timer widget previously used for OTP countdown has been deprecated and completely removed.

Upgrade Note

If you are upgrading from v1.0.0, simply delete the old timer widget from your OTP pages and replace it with the new Event widget version. No configuration or database changes are required — your existing OTP records and configurations remain fully compatible.

This release streamlines the OTP module’s frontend behavior while maintaining all core security and configuration features.

Version: 1.0.0
Framework Version: 10.24.9
Release Notes:

Release Notes – OTP (One-Time Password) Module v1.0.0

The OTP Module introduces a complete and secure framework for generating and verifying One-Time Passwords (OTPs) in Mendix applications.

It supports both SMS and Email delivery channels and is built according to security best practices, including HMAC-based hashing, expiry management, resend cooldown, and rate-limiting.

Key Features

  • Secure OTP generation using SecureRandom and HMAC-SHA256.
  • Configurable expiry time, maximum attempts, and resend cooldown.
  • Hourly and daily resend limits to prevent abuse or spam.
  • Multi-channel support (SMS / Email) and flexible usage types (Login, Password Reset, Registration, etc.).
  • Automatic invalidation of expired or used OTPs (IsUsed = true).
  • Administrative configuration via OTP_Configuration entity without redeploying.
  • Java actions for OTP generation and verification (JA_GenerateOtpAndHashJA_VerifyOtp).
  • Microflows ready for integration: MF_RequestOTPMF_VerifyOTP, and MF_GetActiveOtpConfig.
  • Extendable for MFA workflows or integration with external SMS/Email gateways.

Security

The module ensures OTPs are never stored as plain text. Each OTP is hashed using HMAC with a secret key and salt, providing strong protection against replay and brute-force attacks.

This release provides developers with a plug-and-play, audit-ready OTP mechanism suitable for authentication, password reset, and transaction verification scenarios.