nOTP - The Next Gen Verification.
nOTP is a verification product from Exotel that helps secure your business by verifying customer identity based on their mobile number.
Available as an SDK for Android phones, nOTP allows users to verify with absolutely no actions from their end. All they have to do is enter their phone number, and click on the ‘verify’ option. Everything else happens automatically, and the number is verified.
nOTP works without an SMS, and only with a missed call. It is simple and makes number authentication foolproof.
Verify the user’s mobile number quickly and seamlessly using nOTP verification library
NOTP SDK automatically intercepts a phone call triggered by the nOTP system for
mobile number verification, allowing you to verify your users with no user interaction.
Using the SDK, you can have nOTP verification into your existing android apps with just
a few lines of code.
How It Works-
Advantages of using nOTP-
Up to 42% cheaper than SMS
nOTP is cheaper than SMS because it involves only a missed call. This difference makes absolute sense for a business that verifies a large number of users.
Up to 2X faster than SMS OTP
Although most of the time SMS is sent and received in a few seconds, the networks experience congestion sometimes and you may never receive the OTP within the set time limit. On the other hand, nOTP is much more reliable and quicker.
Superior verification rates
nOTP provides superior results for successful verifications.
Seamless user experience
The user doesn’t have to wait for the OTP or enter the code to verify.
A higher number of user verifications
nOTP is a quick and effective method to validate user phone numbers. So the number of verifications that can be done is high.
Places nOTP can be useful-
Two Factor Authentication - Introduce an extra layer of security, without adding complexity to your customers.
Spam Prevention - Control spam registrations, and avoid fake signups.
Password Reset - Verify users with nOTP to reset passwords, instead of sending them codes via SMS.
Passwordless Login - Do away with passwords as users can be verified using nOTP every time they log in.
The SDK can be used with Android 4.1+ versions.
The compileSdkVersion of your app needs to be 28+.
For verification, the phone number should be passed in E.164 format, prefixed with the plus sign (+). Reference: https://en.wikipedia.org/wiki/E.164
The following details provided by the nOTP team are required to complete the integration of SDK & to test the verifications:
Please login to https://verify.exotel.com/, with your Exotel account, to generate the above.
Verification Throttle Limits-
Following are throttle limits applied at nOTP Platform end:
200 API requests per minute (per account)
10 verification requests per Mobile Number per hour
New Customer Onboarding
For a new customer to be onboarded, they need to have an Exotel account. Once their account is created, a corresponding virtual account needs to be created in nOTP using the create account endpoint along with client applications. Customer needs to send a mail to firstname.lastname@example.org or reach out to their Account Manager with the following details:
Information needed for customer onboarding-
"signature": "", // The package name of the application. Eg: com.exmple.appname
"status_callback_method": "", //basically the http verb GET or POST or PUT etc.
"call_confirm_method": "", //basically the http verb GET or POST or PUT etc.
"ttl": "" // * Hour: h, hr, hour, hours // * Day: d, day, days // * Week: w, wk, week, weeks // * Month: mo, mon, month, months // * Year: y, yr, year, years eg. "5mo2d"
The app-id and the secret required to use nOTP will be generated and shared with the customer.
This app-id secret pair will be one per application.
In addition to this, we currently only support nOTP for certain country numbers. Getting the information from the customer, as to where the volume of requests are from (which country the numbers will be from), can be very helpful to us.
Refer to our GitHub page to integrate nOTP SDK with your mobile app: https://github.com/exotel/ExoVerify
Google Play Store Permissions
One of the permissions that require use-case (how this permission would be used) declaration as per updated Google Play Policies. Upon submission of your App to Google play, make sure to check the exact use-case in the declaration form as shown in the below screenshot :
What does 'HTTP Timeout' mean in step# 9 of the Android SDK Integration Process documented on GitHub.
It is essentially the request connection timeout for any HTTP request originating from SDK to Exotel servers, and the value is passed to the function ".connectTimeout()" for the OkHttpClient class.
It is a configurable parameter at the SDK level, which can be configured while integrating the SDK into the client mobile application. The value (in seconds) needs to be between 1 and 30.
What is the total turnaround time for a request from a mobile app (origin) to a mobile app (termination)?
The average turnaround time is ~10 seconds for India & Indonesia for successful verifications. Any deviation largely depends upon the operator present in the region and the time taken to land the call on the user's device.
The maximum turnaround time is 30 seconds, after which we automatically fail the request and proceed if the call did not land in time. The timer class can be integrated (optional) as mentioned in Step#10 in GitHub documentation, which can be used to display the real-time timer until the verification happens or the request gets timed out.
Please note, that if a wrong mobile number is provided for verification, the SDK will always wait until the 'timeout' duration, which is 30 seconds by default.
Are we passing the Verification ID at the SDK level (to all the responses directly sent to the mobile app)?
We are passing the verification ID as part of the API response to the SDK, but the SDK does NOT clearly expose this ID to the customer application.
If it is essential for your implementation, we can expose this ID by having an additional function in the SDK.
Is SDK listening to all the missed calls? What if there are multiple calls at the same time of verification? How will the SDK differentiate and what will happen to non-expected missed calls?
Yes, the SDK is listening to all the calls once the verification has started but disconnects only the call from the expected number.
It picks the caller ID of the incoming call, hashes it, and checks if it is the expected number. If not, the call is ignored. If it is the expected number, it marks the verification as successful and proceeds to cut the call.
We stop listening for incoming calls when the verification is successful or if the request is timed out.
Which are the Android versions in which call logs are not deleted automatically (by the SDK)?
We are not removing the call logs for any Android versions anymore. This feature was removed in 2018 itself. The call that is received will be visible in the call logs for all the Android versions.
6. What happens if a non-supported country number is requested for verification?
We will fail that request