On version 5.6U1 the SMS OTP method allows for specific variables to be added as part of the message to be sent to the user. At the moment, only 4 variables are available in the Body of the message: {user},{endpoint}, {event}, {otp}.
Could an additional variable be added that allows us to include the {timestamp} that the OTP was generated (EG: 2017-11-09 17:22:07)? Having a timestamp added to the message will is currently a requirement for a message being sent at a customer (Vodacom South Africa) and in general it is mostly to allow users to validate that the OTP received in the current one. It is easier to detect if there is any fraudulent activity taking place as well in cases where an OTP is sent immediately after the other. One could argue that when the phone receives the message, it automatically puts a time and date that the message was received, however that is based on the settings of the actual phone (the date and time) which could be tampered with or modified by a fraudulent user and that is why the OTP messages often have some kind of timestamp that states when was the OTP generated. The {endpoint} and {event} could not be very relevant to the end user who might not be aware of what technical endpoint or event is sending the OTP.
by: Bruno U. | over a year ago | Configuration
Comments
Bruno, Where would the 'time' come from? The AA Server and /or the SMS provider could be in a different time zone. Troy
The {time} would come from the AA server where the OTP is generated. This would also make it easier to identify the occurrence in the logs, in case it needs to be audited or verified.
So far in the deployments I have experienced, the servers are always configured with NTP servers as well.
If it comes from the SMS provider, I agree, the time could be different so I think the AA server would be a more adequate place.