🔐 How OTP Autofill Actually Works (Deep Dive for Developers)

Source: Dev.to

Overview

OTP (One‑Time Password) autofill feels magical, but it’s actually a combination of OS‑level SMS parsing, app or browser integration, and strict security rules.

OTP Autofill Lifecycle

1. User enters phone number in an app (e.g., WhatsApp, Paytm).
2. Backend generates OTP and sends it via an SMS gateway.
3. SMS arrives on the device.
4. Operating system intercepts the message and parses its content.
5. If the message meets the required conditions, the OTP is surfaced to the app or browser.
6. The app auto‑fills (or suggests) the code to the user.

Key Insight

• Apps cannot read all SMS messages arbitrarily.
• The operating system controls access to SMS content and only forwards the OTP when the required criteria are satisfied.

Android OTP Autofill

SMS Retriever API (Most Secure)

Developed by Google, this method does not require the app to hold SMS permissions.

1. The app generates a unique 11‑character hash.
2. The hash is appended to the SMS sent to the user.
3. Android reads incoming SMS messages.
4. If the hash matches an installed app, the OTP is passed automatically to that app.

Example SMS

Your OTP is 482913
FA+9qCX9VSu

SMS User Consent API

1. Android shows a popup: “Allow AppName to read this OTP?”
2. When the user approves, the OTP is passed to the app.

iOS OTP Autofill

iOS does not allow apps to read SMS directly. Instead:

1. iOS detects the OTP format in incoming messages.
2. It shows an OTP suggestion above the keyboard.
3. The user taps the suggestion, and the code is autofilled.

No special hash is required on iOS.

OTP Autofill in Browsers (Web Apps)

HTML Input Attribute

Modern browsers (Chrome, Safari, etc.) will:

• Detect the OTP in an incoming SMS.
• Show a suggestion above the keyboard.
• Autofill the input when the user selects the suggestion.

WebOTP API (Chrome)

• The OS looks for 4–8 digit numeric codes accompanied by keywords such as “OTP”, “code”, or “verification”.
• It also checks for the app name or domain; the domain must match the website serving the page.
• The API works only on secure HTTPS pages.

Security Considerations

• Android: Requires a matching signature hash (SMS Retriever) or explicit user consent (User Consent API).
• iOS: No direct SMS access; OTP is presented as a keyboard suggestion.
• WebOTP: Operates only over HTTPS and validates the domain to prevent phishing.

---

For implementation details, backend design, and sample code, refer to the project repository on GitHub.