OneSpan Sign Release 11.22: OTP Expiry Feature
Version 11.22 of OneSpan Sign was recently deployed to the preview and sandbox environment. In this new version, we added expiry timeout for One-Time Passwords (OTPs) when a signer uses SMS authentication. We also dropped support for Internet Explorer 9 and 10 in the New User Experience, enabled the signer to add optional title and company information when changing a signer during the signing ceremony, and extended the API to delete multiple documents in one call. Finally, we added a few bug fixes as well. You can find the deployment dates for all our environments on our Trust Center page.
In this blog, we’ll cover the new expiry timeout for the SMS OTP and dive into the implementation details and APIs/SDK functions related to SMS authentication.
What’s Added to OTP?
If OTPs are not set to expire, an attacker who gains access to a user’s device can retrieve several OTPs and reuse those passcodes in the future. To avoid this kind of security risk, the OTP expiry feature is now available in the 11.22 version. Below is a picture of what to expect when a SMS passcode is used after its expiration.
Note:
- Default timeout setting is 5 minutes as recommended by US National Institute of Standards and Technology (NIST). By default, OTP expiry is turned on at your account level.
- The timeout setting of the code is configurable through our support team.
- The configurable timeout range is 0 to 90 minutes.
When the code has expired or if your signers have lost or forgotten their code, they can easily request a new one by following the instructions in the signing ceremony.
The new code starts a new expiration period, and the original code will immediately expire, even if the original expiration period has not completed.
An additional implement of reCAPTCHA verification is expected when a user requests a new OTP via SMS in both the desktop and mobile signing ceremony.
Attempts to log in using an expired OTP code are counted against the total number of failure attempts. Which means that after the number of login attempts reaches a maximum, the account should be locked, and the signer will get informed.
Resend SMS Code Programmatically
In addition to the signers’ ability to request an OTP resend from the signing ceremony page, senders also have the ability to resend a code to individual signers in the transaction. When this is done, a new code is sent with a new expiration time.
Below shows you how to manually send a SMS notification by code:
Java SDK:
eslClient.getPackageService().sendSmsToSigner(packageId, retrievedPackage.getSigner(email1));
.Net SDK:
eslClient.PackageService.SendSmsToSigner(packageId, retrievedPackage.GetSigner(email1));
REST Call:
HTTP Request
POST /api/packages/{packageId}/roles/{roleId}/sms_notification
HTTP Headers
Accept: application/json
Content-Type: application/json
Authorization: Basic api_key
Through today’s blog, we’ve walked through the newly added implementations to SMS authentication and covered what you can expect when establishing OTP expiration timeframes.
If you have any questions regarding this blog or anything else concerning integrating OneSpan Sign into your application, visit the Developer Community Forums. Your feedback matters to us!
