SMS devices

Some organizations may have customers who do not have a smart mobile device, or prefer not to download mobile apps on their mobile devices. PingID SDK supports the alternative usage of one time passcodes (OTPs) via mobile devices.

Initially, SMS based OTP is the only supported OTP pairing and authentication method. In the future, voice call based OTP and email OTP will also be available.

PingID SDK supports the following:

Pairing a user’s first device and additional devices in the network of trusted devices, using OTP
Authentication using OTP
OTP device management, including functionality for device unpair, bypass, rename and transition between the primary and trusted device roles.

Several factors should be considered:

In contrast to a mobile device, an OTP device may be considered a virtual device, since the phone number, rather than a physical device, is paired with a user and application. The phone number may be ported from one physical device to another, without affecting its paired status.
OTP support must be enabled in the PingID SDK configuration, to allow both pairing and authentication via OTP. By default, OTP support is disabled in the PingID SDK configuration.
If the OTP configuration is enabled and there are users with paired OTP devices, those devices will be unpaired if the OTP configuration is disabled. If the OTP configuration is enabled again, it will not automatically pair those devices, and they will remain unpaired.

Pairing a user’s device using OTP

An OTP device can be paired as a user’s primary device, or as an additional device in the network of trusted devices. If the user has no primary device, the OTP device is paired as the user’s primary device, otherwise, it is paired as a trusted device.

It is possible to name the device during the pairing process or from the self service page, depending of customer implementation. If the device was not named, the PingID SDK server allocates the default name “Mobile #”, where the first SMS device is “Mobile 1”, the second is “Mobile 2” and so forth, according to the number of OTP devices of that type paired by the user. - The pairing message content is provided by the organization. It is possible to send a pairing message in any language. - Trial accounts are limited to 100 pairing SMS messages per account. Fully licensed accounts have an unlimited amount of pairing SMS messages. Licensed accounts - The pairing process fails at any stage of the flow if: - The application is disabled. - The user is suspended. - The OTP authentication method is disabled for the application. - The user has reached the maximum number allowed devices - The SMS sender ID is invalid. The SMS sender is optional. If the sender ID is specified, it is considered valid if it is in alphanumeric format comprising only English letters, numbers and spaces, and is up to 11 characters in length.
- The SMS message is invalid. An SMS message is considered valid if the message is not empty and is up to a maximum of 160 characters in length.
- The trial account has reached the limit of 100 pairing SMS messages. - Any new SMS pairing process invalidates any old manual pairings for other devices, which were not finalized for the user. For example: - A user starts a manual SMS pairing.
- The user has not entered yet any OTP in order to finalize the pairing.
- The user starts a new pairing process.
- The first manual SMS pairing cannot be finalized anymore. However, starting a mobile application pairing invalidates unfinalized pairing processes of older mobile applications, but does not affect the current SMS pairing process.

Manual OTP pairing

The manual OTP pairing process comprises 2 steps: 1. The user receives a message (for example, an SMS) with a one time passcode (OTP). 2. The user, in turn, has to use the OTP in order to finalize the pairing process. If the user enters an invalid OTP 3 times in succession, the pairing process fails.

Note:

Manual pairing can be cancelled at any point before it is finalized.
If the pairing process is not finalized with a valid OTP within 30 minutes, the pairing process is cancelled automatically.

Automatic OTP pairing

In the automatic OTP pairing, the OTP device is paired without user involvement, and is transparent to the user.

Authentication using OTP

OTP authentication comprises 2 steps: 1. The user receives a message (for example, an SMS) with a one time passcode (OTP). 2. The user, in turn, has to use the OTP in order to finalize the authentication process. If the user enters an invalid OTP 3 times in succession, the authentication process fails. If the authentication process is not finalized with a valid OTP within 30 minutes, the authentication process is automatically cancelled.

The authentication message content is provided by the organization. It is possible to send an authentication message in any language. ### SMS related reasons for authentication failure:

The SMS sender ID is invalid. The SMS sender ID is optional. If the sender ID is specified, it is considered valid if it is in alphanumeric format comprising only English letters, numbers and spaces, and is up to a maximum of 11 characters in length.
The SMS message is invalid. An SMS message is considered valid if the message is not empty and is up to a maximum of 160 characters in length.
The user reached the daily used or unused SMS messages limit.

OTP device management

Device management includes functionality for device unpair, bypass, renaming and transition between the primary and trusted device roles. This functionality is implemented for OTP devices in the same manner as for mobile application devices. ::: info Since OTP devices do not have have an application with an integrated SDK component, they can never access the PingID Server. As such, they are not listed under the “Seen Devices” section. A seen device can only be an unpaired device Which previously accessed the PingID SDK server. :::