Is there any plans to have customizable SMS OTP templates? We’d love to be able to change the message. It would also be nice to have a separate SMS message for logging in a user and creating a new user.
Hey Nick,
Thanks for posting!
Customizable SMS OTP templating is definitely something we’ve discussed and is on our future roadmap, though we don’t have a specific ETA for this feature at the moment.
It would also be nice to have a separate SMS message for logging in a user and creating a new user.
Is this the primary use case that you’d like to utilize customizable SMS templates for? Is this feature a blocker, or a nice to have? Any additional context I can pass along to our team would be helpful!
For our use case it’s more of a nice to have. If the user doesn’t exist we’d like the SMS to direct them to our application process instead. We can do this ourselves by checking if the user is in our system before initiating the SMS OTP flow, however, so it’s not too big of a deal.
Hey Nick – got it, thanks for that additional context!
There is one strategy I’ll recommend that may work for you depending on your specific use case:
- Instead of calling our Log in or create User by SMS OTP endpoint, you’ll call our Send OTP by SMS endpoint, which can only be successfully called for existing Users.
- If a User already exists for the phone number that you pass into the Send OTP by SMS endpoint, the OTP will be sent as normal. If a User does not already exist for that phone number, you’ll receive a
phone_number_not_found
error and an OTP code will not be sent. - Upon receiving a
phone_number_not_found
error, your application can direct the user to your application process. During your application process, you can then call the Log in or create User by SMS OTP endpoint to create the User and send an OTP code (or alternatively call the Create User endpoint then call Send OTP by SMS).
Does that sound like it could work for you?
That almost sounds like it could work! The only thing we were concerned about is a malicious actor trying to determine which phone numbers have accounts by trying out different numbers and seeing if they are redirected to the application flow or not. That’s why we were planning on having the SMS message redirect you to the application flow.
Hey Nick – that totally makes sense, and account enumeration is definitely a valid concern for some applications!
I’ll mention one alternative strategy, just in case it’s helpful:
- Use our Log in or create User by SMS OTP endpoint to send an OTP code to the user.
- Record the
user_created
value in the Log in or create User by SMS OTP response. - Once the user successfully submits their OTP code, if
user_created
wastrue
, redirect to your application process.
I’ll note that we only return the user_created
value in our backend API responses (and not via our frontend endpoints) in order to protect against the account enumeration vector that you mentioned.
All of that said, I’m going to see if I’m able to get some more specific information about when we’re planning to release OTP message templates, and I’ll let you know what the result of that is!
Oh perfect! Ya I think that is the best suggestion yet and should work great for our use case. Thanks!
Looking forward to hearing back about the OTP message templates as well.
Awesome, glad to hear that!
It sounds like OTP template work isn’t currently planned until Q4 of this year at the earliest. Sorry about that – if this becomes critical to your use case, please let us know, and we’ll be happy to pass along the feedback to our team!
Hello, this feature would be very important for our use case as the “app verification code” message is confusing from the user’s perspective. From a security perspective, most messages like this also include a disclaimer like “never share this code with anyone”. So just adding a +1 to this, thanks!
Hi there. I wanted to follow up to see where this feature request stands in Stych’s backlog. I think the ability to set a custom message template for SMS OTP is also important because it allows for something like auto OTP entry in Android using the SMS Retriever API (and similar construct in iOS). Doing so requires a custom app hash to be inserted in the message and hence this request. Is there an approximate timeline when this may be available in Stych?