OTP Verification
Detailed guide to OTP (one-time password) verification for survivors in Burning Ash Protocol.
OTP Verification
OTP (One-Time Password) verification is how survivors prove their identity when accessing a will. This guide explains the process in detail.
Overview
When a will transfer is initiated, survivors must verify their identity before they can contribute to reconstructing the encryption key. OTP is the primary verification method.
How OTP Works
Generation
- Survivor selects their name in the portal
- System generates a random 6-digit code
- Code is hashed before storage (for security)
- Code is sent to survivor's contact method
Delivery
The system tries contact methods in priority order:
Primary → Secondary → Tertiary → QuaternaryIf the primary fails (e.g., email bounces, phone unreachable), it automatically tries the next.
Verification
- Survivor enters 6-digit code
- System hashes input and compares to stored hash
- If match → verified; if not → error
OTP Screen
When you're ready to verify, you'll see:
┌─────────────────────────────────────────────────────────────┐
│ VERIFY IDENTITY │
├─────────────────────────────────────────────────────────────┤
│ │
│ We've sent a verification code to: │
│ j***@example.com │
│ │
│ Enter the 6-digit code: │
│ ┌───┬───┬───┬───┬───┬───┐ │
│ │ 1 │ 2 │ 3 │ 4 │ 5 │ 6 │ [Submit] │
│ └───┴───┴───┴───┴───┴───┘ │
│ │
│ ──────────────────────── │
│ │
│ Didn't receive it? │
│ • Check spam/junk folder │
│ • [Resend Code] │
│ • [Use Backup Code] │
│ │
│ Code expires in 10:00 │
│ │
└─────────────────────────────────────────────────────────────┘Step-by-Step Process
Step 1: Select Your Name
- Access the survivor portal link
- Find your name in the survivor list
- Click to select
- Click "Continue"
Step 2: Wait for OTP
- Code is sent automatically after selection
- Typical delivery time:
- Email: < 30 seconds
- SMS: < 10 seconds
- WhatsApp: < 10 seconds
- Telegram: < 10 seconds
Step 3: Enter Code
- Type the 6 digits
- Click "Submit"
- Or press Enter after entering all 6 digits
Step 4: Success or Failure
Success:
- You see confirmation
- Your share is decrypted in server memory
- Progress updates to show you're authenticated
Failure:
- Incorrect code entered
- Shows remaining attempts
- Can retry or use backup code
OTP Security
Constraints
| Limit | Value |
|---|---|
| Code length | 6 digits |
| Expiry | 10 minutes |
| Attempts per code | 3 |
| Requests per hour | 5 |
Why These Limits?
- 6 digits: 1 million possible codes (sufficient for low-value, rate-limited verification)
- 10 minutes: Long enough to receive and enter, short enough to limit exposure
- 3 attempts: Prevents brute force while allowing typos
- 5/hour: Prevents automated attacks while allowing retries
Security Features
- Hashed storage: Even if database is compromised, codes can't be used
- Rate limiting: Prevents brute force attacks
- Time expiry: Limits window for attack
- Unique per session: New code each verification attempt
Backup Codes
If you can't receive OTP, use a backup code.
Using Backup Code
- Click "Use Backup Code" on the verification screen
- Enter your 8-character code:
A3F7-K9M2 - Click "Submit"
Backup Code Properties
- Format: 8 alphanumeric characters
- Case-insensitive:
a3f7k9m2works same asA3F7-K9M2 - Single-use: Each code works once
- No expiration: Unlike OTP, backup codes don't expire
Getting Backup Codes
The host provides backup codes when you're added as a survivor. They're shown only once at that time.
If you didn't receive them:
- Contact the host
- Host can regenerate codes (invalidates old ones)
Failed Attempts
Too Many Attempts
After 3 wrong OTP attempts:
- Current code is invalidated
- Must request new code (or use backup code)
Rate Limited
After 5 OTP requests per hour:
- Must wait before requesting more
- Use backup code instead
Code Expired
After 10 minutes:
- Code no longer valid
- Request a new code
Troubleshooting
Not Receiving OTP
Check all channels:
- Email (check spam/junk)
- SMS
- Telegram
Common issues:
- Phone number wrong → Contact host
- Email typed wrong → Contact host
- Email in spam → Check spam folder
- Phone off/airplane mode → Enable and wait
Wrong Number Entered
- Clear the input
- Enter carefully
- Or click "Resend" for fresh code
"Invalid Code" After Correct Entry
- Ensure no leading/trailing spaces
- Check you're using right code
- Try backup code if available
Lost Backup Codes
If all backup codes used and no OTP delivery:
- Cannot authenticate
- Contact other survivors
- May need to wait for transfer to fail
Wrong Name Selected
If you selected wrong name:
- Can't change after selection in same session
- Contact host or wait for timeout
Resending OTP
Manual Resend
Click "Resend Code" to:
- Get a fresh code
- Sent to primary connector
- Resets attempt counter
Automatic Resend
If primary connector fails, system automatically tries next in priority.
Rate Limit on Resend
Max 5 OTP requests per hour per survivor.
Best Practices
For Smooth Verification
- Check notification channel — Know which one you'll receive
- Have backup ready — Know where backup codes are
- Act quickly — Verify soon after notification
- Check spam — Email often goes there
If Having Trouble
- Wait 30 seconds for delivery
- Check all channels
- Try backup code
- Contact host if all fails
What Happens After Verification
After you successfully verify:
- Your SSS share is decrypted in server memory
- You're shown as authenticated on the progress screen
- System checks if threshold is met
- If met → documents become accessible
- If not met → wait for other survivors
Summary
OTP verification is designed to be:
- Simple — Just enter a code
- Secure — Rate limited, hashed, time-bounded
- Accessible — Multiple channels, backup codes
- Fast — Usually under 30 seconds
Next Steps
- Accessing Documents — After verification
- Receiving Access — Overview