Tips to ace your one-time password emails

The most important things are often overlooked because they’re so ingrained in our process that we tend to practice them without a second thought. Their significance is pronounced only when they’re removed from the system, leading to serious outcomes.

One such practice in the world of online transactions is the process of receiving one-time passwords (OTPs). OTPs, in most cases, are the first line of defense in protecting our identity from being misused by bad actors. OTPs, in their various forms, ensure safe and secure transactions.

While delivering OTPs on time is important, presenting them the right way is essential to protect users and enhance their experience. Read on to learn how you can get these emails right.

What are one-time passwords?

One-time passwords are a set of characters that are generated and sent to a user's trusted device or application. They’re dynamic, auto-generated values that change every time they’re requested. As one-time codes, they’ll be reset after their use.

OTPs are part of multi-factor authentication (MFA), which is used to verify a sender's identity. MFA uses a series of processes to authenticate a sender. This includes the user going through multiple layers of security measures to access a service or complete a transaction.

These measures include logging on to a fingerprint-enabled device and entering the username-password combination along with the OTP to confirm their identity. They’re also used for passwordless logins where the username and OTP combination will be used to log into a service.

There are different mediums in which OTPs are delivered, and they differ from each other in the forms in which they’re delivered, too.

Types of OTPs

To understand the types of OTPs, it’s important to know how they work. OTP works with a combination of two inputs, a seed and a moving factor.

A seed generates the unique code that users receive. It’s a mix of a password generator that will generate the codes and a server. The next input is the moving factor. This is a dynamic value, and it differentiates one type of OTP from the other.

Both the seed and the moving factor will be combined by a hashing algorithm, and the resulting hash value will be sent to the user. This hash value is the OTP.

Based on the moving factor, there are two types of OTPs: HOTP and TOTP.

HOTP

The HMAC-based OTP (or hash-based OTP) has an event-based counter, with the event being the act of requesting the OTP. During a login attempt, the OTP will be shared with the user. Once they enter the OTP, the counter value will be implemented to verify the shared code. The advantage of an HOTP is that the user can refresh it to generate a new value. More information on this method of authentication can be found here.

TOTP

Time-based OTPs have a timer as the moving factor. The codes generated using this method will be valid for only a short time. The user must enter the code within that time, usually between 15 seconds and one minute, after which it will be refreshed. The TOTP method usually uses a third-party authenticator app to validate the user. When the user logs into a service, they’ll have to copy and paste the OTP on the login page to verify their identity. More information on this method of authentication can be found here.

Methods of delivering OTPs

• SMS/text messages: Users attempting to log into a service will receive the OTP on their registered mobile number. SMS-based authentication is an upgrade to the password-based login by adding another layer of security. SMS or text messages don’t require the user to learn new hardware or additional authenticator applications.

• Email: Email-based authentication involves the user receiving an OTP to their email address. It’s used to verify the user's identity, especially when they’re new to a service. They’re also used to help recover forgotten passwords because users most often use email addresses to log into the application. Email OTPs are popular mediums in passwordless logins. This involves a user signing into a service using their username and the OTP received in an email.

• Messaging applications: The newest trend in receiving OTPs is via messaging apps like Whatsapp. Messaging applications combine the convenience of a handheld device and the accessibility of a text message. Messaging apps offer additional security because they offer end-to-end encryption to secure the OTPs users receive.

• Hardware keys: Hardware keys are physical devices that are used to validate users. By registering the hardware key with the user’s service, they can easily use the key to verify their identity. When the user signs into their service, they’ll be prompted to enter the OTP, which can be fetched from the hardware key. Some of the hardware keys include USB keys and NFC-enabled devices.

• Authenticator applications: Authenticator applications also generate OTPs. Authenticators don't require a physical device like a hardware key, and they can be used with an authenticator application installed on your mobile device. These applications use the TOTP method of authentication, and the code will be refreshed after a certain amount of time. The advantage of these applications is that they operate even without internet access, making them highly accessible.

Why do OTPs matter?

Authentication

The primary function of an OTP that we’ve been reinforcing so far is to protect users' identities. Using these codes during login or while registering for a service will help prevent identity theft and make it difficult for bad actors to break into a service. Enabling OTP-based logins will help users stay aware of any attempts to use their service. When a user receives an OTP they didn't request, they’ll know someone is trying to break into their service and be more vigilant by strengthening their passwords and taking other mitigation actions.

Safer than passwords

When used along with passwords, security codes like OTPs mitigate against password breaches. Because a new code is generated every time, they’re immune to replay attacks where a bad actor tries to intercept the code and use it. OTPs are increasingly being used as an alternative to passwords while logging into a service. This takes account security to the next level by completely eliminating passwords that can be compromised.

Scalability and ease of use

The OTP method of authentication can be easily incorporated within an application using APIs to allow for seamless integration. Because OTPs can be easily integrated within a service, they don’t require complex infrastructure, which will help reduce the cost of building one. This helps you bolster security without burning a hole in your pocket.

Because OTPs are a familiar concept, there’s not much of a learning curve for users when it comes to adopting to them. The OTP delivery methods are easy to use and, in most cases, don’t require additional knowledge to use them. Users don’t have the hassle of remembering them, making them a preferred option.

OTP use-cases

Account authentication

Security codes like OTPs find their use in account authentication as a part of 2FA or MFA. This includes authentication while logging into a banking service, or even passwordless logins.

User registration

Users who sign up using their email address or mobile number verify them using OTPs. This verification helps them check if the details they’ve used are accurate.

Online transactions

OTPs are largely used in financial transactions and account access. Because banking transactions are highly sensitive, receiving an OTP to confirm them will prevent unauthorized access and financial fraud.

Password reset

Another common use of email OTPs is to aid in password reset or password recovery. Because users almost always sign up for a service using their email address, email OTPs are used for this purpose. Email OTPs for password recovery prevents bad actors from attempting to hack into your account. Because they’re sent to your email address, you’ll be aware of any attempts to break into your account. Unless your email address is compromised, this is a fail-proof method of protecting your password-protected account.

These use cases will give you a rough idea of how OTP authentication works and why it’s important. Although getting these important codes on time is essential, equal importance lies in how they’re presented to the users. In the next section, we’ll pick the most reliable and timeless channel of OTP communication via emails. Among the list of OTP channels mentioned here, emails are the longer form of communication. Care must be taken while creating them.

Best practices for crafting effective OTP emails

As we’ve already discussed, OTP emails are a type of transactional email businesses send to customers automatically based on an action performed on an application or website. They must be sent to users on time without any delay. Email service providers (ESPs) will take care of their delivery; however, you’ll have the freedom to write these emails based on your preference. Some points that you should keep in mind when creating an effective OTP email are:

The focus should be on the OTP

Users requesting an OTP are constrained for time because of the limited time it’s valid. Keeping the OTP prominent will make it easier for the user to access and enhance their user experience. It should be easy to spot, so it should be highlighted.

Keep it separate

In the case of password reset information, you’ll be sending the customer's details along with the OTP. This will include their account information, which may contain numbers. Users can misread the information and enter the wrong OTP, so it’s essential to keep them separate to avoid any errors. Provide ample spacing between the OTP and other content in the emails.

Keep it simple

Provide your OTP in four- or six-digit chunks. This makes it more readable and leaves little room for error. For example, an OTP of 123 456 is much more decipherable than 12 34 56. Because users will be switching between screens to enter their codes, chunking them in this way will make it easier for the users to remember them.

Opt for numerical codes

Reserve alpha-numeric codes for captchas and use numbers for your OTPs. Again, this is in line with the email’s readability and user-friendliness. Ensure you use at least a four-digit OTP to avoid users confusing it with the CVV on their card.

Mention validity

We know that OTPs will eventually expire. Mentioning the expiry period in the email will help users be aware of the time within which they should enter it. Most critical transactions require shorter time validity; however, you can increase the time validity for less-sensitive operations.

Give clear information

State the purpose of the OTP in a clear and concise manner. For example, in the case of an account verification email, mention the user's details—like their username—along with the OTP. The information provided will help them verify their details before proceeding with the transaction.  

Share customer support details

In case the user needs additional assistance, they’ll benefit from your service's customer support information. You can also add a chatbot right within the mailbox to answer their questions instantly.

Avoid marketing content

Transactional emails like OTPs serve one purpose—getting the user the information they need on time. Although giving additional information about your brand might be alluring, it’s best to avoid it because it could be intrusive and overpower the OTP. With ESPs enforcing strict measures to check for spammy content and filtering it out, adding marketing content in your transactional emails can result in them being marked as spam.

Retry information

There might be instances where the user requests a new OTP if the first one expires. In these cases, make sure to update the OTP and mention that it’s a new one to avoid any confusion.

Scalability

Desktop browsers aren’t the only place where your emails will be accessed by your customers. Ensure that the emails you create are compatible with any device. Test your emails before you send them out to ensure that they’re optimized across devices.

Send them on time

OTPs for password reset emails are requested by users who’ve been locked out of their account, so they’ll be anticipating the email. Timely delivery of the OTP is important because late delivery will make the customer lose trust in your business. Ensure that the service you choose makes the timely delivery of your emails possible.

Good inbox placement

Sending your emails on time isn't ideal if they don’t reach your recipients' inbox. Asking your customers to look for their OTPs in their spam folder isn’t a good look for your business and it can reduce your business's credibility. Inbox placement is directly proportional to your email deliverability, which can improve with the help of good email practices and by using a good service.

Use reputed channels

OTP emails are important and confidential, so the service you use should be secure. Some send out both transactional and marketing emails. To get the most out of the service and ensure fast delivery for your transactional emails, it’s advisable to use a dedicated transactional email service. A dedicated service will not only give you great delivery rates but also get the emails to your recipients on time. This trait is desired if you’re sending out important emails like OTPs.

Wrapping up

Zoho ZeptoMail is one such service that focuses solely on sending out transactional emails. ZeptoMail allows you to seamlessly connect your business to send out emails using SMTP and APIs. Our delivery rates are one of the best in the industry and we focus on secure email delivery, so you can rest assured that your emails will reach your recipients on time.