Rishav AuthNova OTP

Rishav AuthNova OTP adds a one-time-password verification layer to core WordPress authentication flows.

Features include:

• Configurable OTP length and charset (numeric or alphanumeric)
• OTP expiry and retry limits with temporary lockouts
• Login OTP verification step (after password check)
• OTP-gated registration flow
• OTP-gated password reset flow
• Delivery via wp_mail, SendGrid, and Twilio
• OTP storage using hashes (never plaintext)
• Resend OTP with cooldown and challenge rotation

Security highlights:

• OTP values are hashed before storage and are never saved as plaintext
• OTP hashes use keyed HMAC storage and constant-time verification
• OTP challenges expire automatically and enforce retry limits per challenge
• Request throttling applies cooldown and exponential backoff per IP and identifier
• Lockout windows reduce repeated invalid OTP submissions
• Nonces are applied on sensitive form submissions
• Public auth responses are intentionally generic to reduce account-enumeration leakage
• Delivery uses synchronous-first send with bounded async retry fallback and challenge-level delivery status tracking

Security limitations:

• This plugin does not replace passwords, HTTPS, WAF/rate-limiting at the edge, or secure hosting controls
• OTP delivery depends on the configured email/SMS provider uptime and deliverability
• Administrators should combine this plugin with standard WordPress hardening and monitoring

Reliability notes:

• OTP delivery is attempted synchronously first to reduce silent failures
• If synchronous delivery fails and background delivery is healthy, the plugin schedules bounded retries
• If background delivery is unhealthy (for example DISABLE_WP_CRON), fallback queueing is skipped and users receive a retry-safe error
• Resend cooldown state is server-authoritative and exposed through a status endpoint used by frontend countdown UX
• Background queue payload contains only challenge ID (no raw OTP or destination data)

External Services

This plugin can connect to third-party services to deliver OTP messages. These services are optional and only used if enabled in plugin settings.

Twilio (SMS Delivery)

• Service: Twilio Programmable Messaging API
• Purpose: Send OTP codes by SMS
• Data sent: destination phone number, sender phone number, OTP message text, account SID for authentication
• Credential handling: Twilio credentials are stored in WordPress options and used only when sending OTP messages
• When sent: when OTP delivery method includes SMS and an OTP is generated for login, registration, password reset, or resend
• Why sent: to deliver time-sensitive OTP codes to the user by SMS
• Terms of Service: https://www.twilio.com/legal/tos
• Privacy Policy: https://www.twilio.com/en-us/legal/privacy

SendGrid (Email Delivery)

• Service: SendGrid Mail Send API
• Purpose: Send OTP codes by email
• Data sent: recipient email address, sender email/name, message subject, OTP message body, API key for authentication
• Credential handling: SendGrid API key is stored in WordPress options and used only when sending OTP messages
• When sent: when email provider is set to SendGrid and an OTP is generated for login, registration, password reset, or resend
• Why sent: to deliver time-sensitive OTP codes to the user by email
• Terms of Service: https://sendgrid.com/policies/terms/
• Privacy Policy: https://sendgrid.com/policies/privacy/

Configuration

1. Set OTP length, type, expiry, retry limit, and lockout duration.
2. Choose delivery method: Email, SMS, or Both.
3. Configure provider credentials for SendGrid and/or Twilio if needed.
4. Enable or disable OTP on login, registration, and password reset flows.