OTP Verification

Secure your store with one-time password (OTP) verification for customer authentication.

Overview

OTP (One-Time Password) verification provides a passwordless authentication experience for your customers. Instead of remembering passwords, customers receive a 6-digit verification code via email to authenticate their identity.

Key Benefits

Passwordless Experience - Customers don't need to remember passwords
Enhanced Security - Time-limited codes reduce risk of credential theft
Auto-Registration - New customers are automatically created on first login
Verified Emails - All customer emails are verified by default
Reduced Friction - Faster checkout and account access

When OTP is Triggered

OTP verification is used in several scenarios to protect your customers:

When a customer attempts to log in to your storefront:

Customer enters their email address
A 6-digit verification code is sent to their email
Customer enters the code to authenticate
A session token is issued for future requests

New Account Creation

When a new customer makes a purchase or registers:

Customer provides their email at checkout
OTP code is sent to verify the email address
Account is created after successful verification
Customer can access their order history and account features

Sensitive Actions

OTP may be requested for high-risk operations:

Changing account email address
Viewing or downloading digital assets
Accessing subscription management
Updating payment methods

Customer Experience

Step-by-Step Flow

1. Email Entry

The customer enters their email address on your storefront's login or checkout page.

2. Code Sent

A verification email is sent immediately containing:

A 6-digit numeric code
Store name and branding
Expiration notice (10 minutes)
Security warning not to share the code

3. Code Entry

A verification modal appears where the customer can:

Enter each digit in separate input boxes
Paste a copied code automatically
Use keyboard navigation between boxes
Request a new code if needed

4. Authentication Complete

Upon successful verification:

Customer is logged in
Session is established
Redirected to their intended destination

The OTP input interface includes:

6 Individual Input Boxes - For easy digit-by-digit entry
Auto-Focus - Cursor moves automatically to the next box
Paste Support - Full code can be pasted at once
Clear Error Messages - Feedback for invalid or expired codes
Resend Option - Request a new code with cooldown timer
Skip Option - Verify later for non-critical actions

Configuration Options

OTP Settings

Configure OTP behavior in your store settings:

Setting	Default	Description
Code Length	6 digits	Number of digits in the OTP code
Expiration	10 minutes	How long codes remain valid
Max Attempts	3	Attempts before code is invalidated
Rate Limit	3/hour	Maximum codes per email per hour
Cooldown	60 seconds	Minimum wait between resend requests

Security Features

Rate Limiting

Maximum 3 OTP requests per email address per hour
Prevents brute force and abuse
Resets after 60 minutes

Attempt Tracking

3 verification attempts per code
Code is invalidated after max attempts
Customer must request a new code

One-Time Use

Codes are deleted immediately after successful verification
Cannot be reused even within the validity window

Email Template Customization

The OTP verification email can be customized to match your store's branding.

Accessing the Template

Go to Settings > Email Templates
Find OTP Verification template
Click Edit to customize

Available Variables

Variable	Description
	The 6-digit verification code
	Your store's name
	Code expiration time (e.g., "10 minutes")
	Customer's email address
	Current year

Default Template Structure

Subject: Your verification code for {{store_name}}

Your verification code is: {{code}}

This code will expire in {{expiration}}.

Never share this code with anyone. {{store_name}} will never ask
for your verification code over phone or email.

If you didn't request this code, please ignore this email.

Customization Tips

Keep the code prominently displayed
Include security warnings
Match your store's visual branding
Keep the email concise
Ensure mobile-friendly layout

Troubleshooting

Codes Not Arriving

Check Spam/Junk Folder

Verification emails may be filtered
Ask customers to check spam folders
Add your store's email to contacts

Verify Email Address

Ensure no typos in the email
Try sending to a different email
Check if email domain is valid

Email Delivery Issues

Verify your mail service is configured correctly
Check mail service logs for errors
Test with a known working email

Rate Limit Reached

Customer may have requested too many codes
Wait 60 minutes for the rate limit to reset
Contact support if legitimate need

Invalid Code Errors

"Invalid OTP code"

Customer may have mistyped the code
Double-check each digit
Ensure no extra spaces were entered

"OTP not found or expired"

Code has expired (10 minutes limit)
Request a new verification code
Check system time sync if persistent

"Too many verification attempts"

Maximum 3 attempts exceeded
Request a new code
Wait a moment before trying again

Account Issues

"Email already registered"

Customer already has an account
Proceed with normal login flow
Password not required with OTP

"Could not create account"

Check if email format is valid
Ensure store allows registrations
Contact support if persists

Best Practices

For Store Owners

Monitor Failed Attempts
- Review security logs for unusual patterns
- Multiple failures may indicate attack
- Block suspicious IP addresses
Keep Templates Professional
- Match your brand identity
- Include clear security warnings
- Test on multiple email clients
Educate Customers
- Add FAQ about OTP process
- Include support contact info
- Explain why OTP is used

For Customers

Check Spam Folders
- Codes may be filtered initially
- Mark as "not spam" to whitelist
Use Fresh Codes
- Always use the most recent code
- Request new code if unsure
Never Share Codes
- Store staff will never ask for codes
- Report any suspicious requests

Security Considerations

How OTP Protects Your Store

No Password Storage - Reduced risk from database breaches
Time-Limited Codes - 10-minute window minimizes exposure
Single Use - Codes cannot be replayed
Email Verification - Ensures valid customer contact

What OTP Does NOT Protect Against

Compromised email accounts
Phishing attacks targeting customers
Man-in-the-middle attacks on email

Additional Security Measures

For maximum protection, combine OTP with:

Two-Factor Authentication for store owner accounts
Team Member Permissions to limit access
Activity Logging to track all actions
Customer Bans for abusive accounts

Two-Factor Authentication - Secure your store owner account
Activity Logs - Monitor account activity
Customer Bans - Manage blocked customers
Email Templates - Customize your emails

OTP Verification ​

Overview ​

Key Benefits ​

When OTP is Triggered ​

Customer Login ​

New Account Creation ​

Sensitive Actions ​

Customer Experience ​

Step-by-Step Flow ​

Verification Modal ​

Configuration Options ​

OTP Settings ​

Security Features ​

Email Template Customization ​

Accessing the Template ​

Available Variables ​

Default Template Structure ​

Customization Tips ​

Troubleshooting ​

Codes Not Arriving ​

Invalid Code Errors ​

Account Issues ​

Best Practices ​

For Store Owners ​

For Customers ​

Security Considerations ​

How OTP Protects Your Store ​

What OTP Does NOT Protect Against ​

Additional Security Measures ​

Related Documentation ​