# About SMS OTP
Signicat's SMS OTP is an authentication method based on one-time passwords on the SMS channel.
# Use cases
A typical scenario may be:
Scenario 1
- An end-user wants to access your application that requires authentication.
- Your application backend (via Signicat SMS OTP) sends an SMS message with an OTP code to the end-user.
- The end-user enters the code and successfully authenticates.
- You receive the end-user's phone number as part of the response from Signicat.
In cases when you already know the user's phone number, the scenario would be:
Scenario 2
- You already know the phone number of an end-user.
- An end-user wants to access your application that requires authentication.
- Your application backend (via Signicat SMS OTP) sends an SMS message with an OTP code to the end-user.
- The end-user enters the code and successfully authenticates.
- You receive a confirmation (true or false) in the response from Signicat.
Although SMS OTP alone does not provide adequate security, from a technical standpoint there is nothing that prevents a customer from using it as a standalone authentication method. However, the recommended use case is to use SMS OTP boost an existing login process. SMS OTP, integrated with any username/ password login solution, will form a two-factor authentication method.
# Technical details
Here are some technical details about SMS OTP:
- An OTP code is 6 characters long. The code is a string of numerical digits. For example,
012345
. - An OTP code is valid for three minutes. After that time, the OTP code expires and the end-user must request a new one.
- The end-user can request up to three OTP codes within an authentication session. The authentication session window lasts for five minutes. After that, the end-user needs to start over.
- An end-user has three attempts to enter the correct code. If authentication fails, the end-user needs to start over.
- User authentication expires after 24 hours. After that time, the end-user receives a new OTP code when they try to access the service. Authentication expiration ensures additional security.
# User journey
When authenticating with SMS OTP, the user journey looks like this:
Ready to see it in action? Follow the steps in the Setup guide to configure SMS OTP in the Dashboard.