Designing an OTP (one-time password)
Let’s play a quick game.
I want you to remember the numbers in this short story.
Mumbai 28-Dec-2019: It’s Saturday, and I am with my mom & sister running to catch the train with number 12125. It arrives at 16:25 on platform no five at the station. The reserved seats (71, 72, 73) are in Coach S7. My hands are full of bags, and we are waiting & searching for the cab number **3226 scanning every passing car. Upon arriving, the cab needs a One-Time Password (OTP) 2725 to begin our journey.
Ok. I apologize, take some deep breaths.
Problem:
The point here is, remembering random numbers is not a natural behavior of the human mind. Empathizing with this problem, I propose UX designing the OTP.
Workflow Assumption: It is required to enter the 4-digits OTP, and the system has the basic user information.
UX solution
Choose the digits in an OTP from the set of numbers that the user already remembers, or are easy to remember, rather than using randint() or Random() functions.
I am listing different logics to generate OTP, which are either easy patterns or are (user’s) life events.
I know, wait, Security hold on! Read through the patterns, and I will address your concern as we move.
- Repetitive numbers: Sequences like 2777, 2277, 2227, 27 27 can be retained with ease. (90 combinations)
- Palindrome number: Numbers that read the same from either side like 2772 are effortless chunks. (90 combinations)
- Sequential numbers: In the above story, 2728 is comfortable to remember & recollect than 2725 given its sequence. Additionally, a simple sequence with constant increment (2468, 3690) also works. (90 combinations including reversals)
List of all 11 possible easy sequences:
User Events
- 10 digit phone number: 8 combinations.
- Date of birth (DD-MM-YYYY): 5 combinations.
- Interacted event: In the story, the car number itself can become the OTP.
The Security debating: “It’s not very secure.”
Designer: “Maybe yes, maybe no. The solution is not about sticking to only one pattern forever, but it is about randomly choosing one amongst 18 different easy combinations only for one transaction cycle. Practically, the hacker has 1000 possibilities with 3 attempts within 60 seconds. I think the security risk is within acceptable limits.”
The key is predictable but the lock is changing every time.
The developer quotes, “How about OTP auto-detection feature?”
Designer: “With this, we are leaving the privacy & user data in their messages solely on the ethics of the developer, I have seen apps asking permissions for my messages to detect the OTP, and also at times this feature is bit broken.”
Oh great, you are still there! Here are extra pro-tips only for you, and follow me on Medium more such practical UX pointers.
- Spacing numbers- Adding a Space in-between digits assists in reducing memory load by chunking them together. Whenever asking mobile number, mask the number field after 5 digits (99988 77766) in India, and 4–3–3 for the US.
- Text OTP- In an OTP text SMS, keep the password within the initial 50 characters of the message, making it visible directly in the notification tray without any action. In an email, one can consider keeping the OTP in the subject line, or within the first 100 characters of the body.
- Alphanumeric OTP- Be very careful while choosing alphabets & numbers for verification. For many fonts, the letter O is identical to the number zero, and the uppercase I seems like 1 leading to a bad experience. The best case is to discard O/o, L/l, I/i, G/g from your character set.
- While the user is typing the OTP, briefly show the numbers and then mask them.
- While doing print ads or digital marketing use easy-to-remember contact phone numbers. Its an investment!
- At last, think about this — “Is the OTP verification really needed?” If yes, then at this stage, or can it be pushed to another stage or before the final payments?
My thoughts: OTP won’t stay long in this game. It is a workaround working for too long, if the phone companies, the OS teams, and the network carriers work together towards creating a standard authenticating protocol for a transaction — OTP will get outdated!
At last thank you so much Srinath Bharadwaj and Nikhil Iyer for helping me with these combinations. I am an independent User Experience (UX) Designer who is passionate to design user-friendly products/services and also loves traveling. If you like my style follow me on Medium | write me an email | Ping me on Facebook Messenger.
