# Advanced concepts

## **OTP Validation in a Form**

### **Purpose**

The OTP (One-Time Password) validation feature is designed to verify a user's identity while filling out a form. This helps enhance security and prevent unauthorized access.

### **Application**

OTP validation is applied to:

* The **Phone Number** field
* The **Email** field\
  \ <br>

  <figure><img src="https://4216568905-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mc6E3BSGr4i8kVdH38k%2Fuploads%2FV7kMIEkzGQ9ENbwOll4Y%2Fimage.png?alt=media&#x26;token=7c4a3336-06b5-480f-9d15-4fbf35953681" alt=""><figcaption><p>The user enters the phone number and clicks on GET OTP</p></figcaption></figure>

  \
  \ <br>

  <figure><img src="https://4216568905-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-Mc6E3BSGr4i8kVdH38k%2Fuploads%2FsW1S8WS5oTGzGrthnQkg%2Fimage.png?alt=media&#x26;token=39c7ca83-f019-430f-a028-aac300fae3df" alt=""><figcaption><p>OTP is sent to the given phone number and the user can enter the OTP for verification</p></figcaption></figure>

### **Process Flow**

1. The user enters a **phone number** or **email**.
2. The user clicks **"Get OTP"**.
3. An OTP is sent to the provided phone number or email.
4. The user enters the OTP in the verification field.
5. The system validates the OTP.
   * If correct, the user's phone number/email is verified.
   * If incorrect, the user can reattempt verification.
6. Once verified, the user can proceed to submit the form.

### **Configurable Parameters**

1. **Failed OTP Attempts Lockout:**
   * If a user enters an incorrect OTP **5 times**, they are temporarily blocked from requesting another OTP.
   * **Lockout duration is configurable** based on system policies.
2. **Re-verification for Previously Verified Users:**
   * A user who has successfully validated once should not be asked for OTP verification again while filling out the form.
   * **The duration before re-verification is required is configurable**.
3. **Revalidation After OTP Verification (But Before Submission):**
   * If a user verifies their phone/email but does **not submit the form**, they must be asked for another OTP after a set time.
   * Example: If a user verifies their identity but does not submit the form within **60 seconds**, they must revalidate before form submission.
   * **This time interval is configurable**.

### **Example from UI (Based on Screenshots)**

* **Phone Number Input with OTP Trigger**:
  * A user enters a phone number (e.g., **+91 9999999999**) and clicks **"Get OTP"**.
* **OTP Confirmation Screen**:
  * The system prompts the user to enter a **4-digit OTP** sent to their number.
  * A **resend timer** prevents immediate retriggering of the OTP.
* **Form Submission Process**:
  * If the user validates the OTP but does not submit the form within the defined time, re-verification is required.

### **Security Considerations**

* **Rate Limiting**: Restricts excessive OTP requests to prevent abuse.
* **Configurable Expiry Time**: OTP validity and expiration duration can be adjusted per security policies.