Skip to content

[Feature] Bind OTPs to Device ID for Enhanced Security and Readme file Improvement #32

New issue
New issue
Open
Open
[Feature] Bind OTPs to Device ID for Enhanced Security and Readme file Improvement#32
Labels
enhancementNew feature or request
@Tanishq-789

Description

@Tanishq-789
Tanishq-789
opened on Aug 29, 2025

Feature Description

🔍 Observation

Currently, OTPs in our FastAPI authentication service are tied only to phone numbers. This creates a security gap — if an OTP is leaked or shared, it can be used from any device.

👉 By binding OTPs to a device identifier, we ensure that an OTP generated for a phone number can only be verified on the same device, adding an extra layer of protection.

✅ Proposed Solution

API Updates

  • Update /otp/send-otp and /otp/verify-otp endpoints to accept a device_id parameter.

Example request:

{
  "phone": "+91xxxxxxxxxx",
  "device_id": "unique-device-uuid"
}

Database Changes

  • Add a device_id field in the OTP/verification table (or extend existing schema).

  • Store OTPs along with both phone_number and device_id.

Verification Logic

  • During OTP verification, check both phone_number and device_id.

  • If device_id does not match the one stored, reject the OTP even if it’s correct.

🔧 Implementation Steps

  • Update Pydantic Schemas to include device_id.

  • Modify Routes (send_otp_route, verify_otp_route) to accept and forward device_id.

  • Update Models to persist device_id alongside OTP records.

  • Enhance Verification in verify_otp to validate phone + code + device_id.

  • Add tests to confirm:

  • OTP with wrong device_id is rejected.

  • OTP with correct phone + device_id is accepted.

🎯 Benefits

  • Stronger security by preventing OTP reuse across different devices.

  • Real-world relevance: commonly implemented in production-grade authentication flows.

  • Still lightweight (only requires minor schema and logic changes).

🏷️ Labels

  • enhancement
  • security
  • gssoc'25
  • level3

@Harish-2003 Kindly assign this issue to me

Use Case

Imagine a user tries to log in with OTP authentication:

  • The user enters their phone number on Device A and requests an OTP.

  • The server generates an OTP and stores it along with a device identifier (e.g., a UUID generated by the client).

  • The user receives the OTP via SMS and enters it on Device A.

  • ✅ Since phone_number + device_id + otp all match, verification succeeds.

  • Now consider if an attacker obtains the OTP and tries to use it on Device B:

  • ❌ The OTP will be rejected because the stored device_id doesn’t match the attacker’s device.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions