Skip to content

OTP (One-Time Password) Service

Quick Reference Guide for System Design Interviews

Problem Statement

Design a One-Time Password (OTP) service that generates, delivers, and verifies time-limited codes for user authentication. The system should be secure, highly available, and support multiple delivery channels.

Requirements

Functional Requirements

  • Generate OTP for user (phone/email)
  • Deliver OTP via SMS, email, or push
  • Verify OTP entered by user
  • Rate limiting to prevent abuse
  • Support for multiple use cases (login, transactions)

Non-Functional Requirements

  • Availability: 99.99% (critical for auth)
  • Latency: Generate < 50ms, Deliver < 5s
  • Security: Cryptographically secure OTPs
  • Scale: 100M OTPs/day

High-Level Architecture

High-Level Architecture

OTP Generation

OTP Types

Random OTP Generation: 

import secrets

def generate_otp(length=6):
    # Cryptographically secure random
    return ''.join(
        str(secrets.randbelow(10)) for _ in range(length)
    )

# DO NOT use random.randint() - not secure!

TOTP Generation: 

import hmac, hashlib, struct, time

def generate_totp(secret, interval=30):
    counter = int(time.time() // interval)
    counter_bytes = struct.pack('>Q', counter)
    hmac_hash = hmac.new(secret, counter_bytes, hashlib.sha1).digest()
    offset = hmac_hash[-1] & 0x0F
    code = struct.unpack('>I', hmac_hash[offset:offset+4])[0]
    code = (code & 0x7FFFFFFF) % 1000000
    return f'{code:06d}'

OTP Storage

OTP Storage

OTP Verification Flow

OTP Verification Flow

Delivery Service

Delivery Channels

Rate Limiting & Security

Rate Limiting and Security

API Design

API Design

Interview Discussion Points

  1. How do you generate secure OTPs?
  2. Cryptographically secure random (not Math.random)
  3. 6 digits = 1M combinations

  4. Short expiry + limited attempts

  5. Why hash the OTP?

  6. Security: Don't expose in logs/breach

  7. Compare hashes on verification

  8. How do you prevent brute force?

  9. 3 attempts max per OTP
  10. Rate limit per user/IP/phone

  11. Exponential backoff

  12. How do you handle SMS delivery failures?

  13. Multiple SMS providers (fallback)
  14. Retry with backoff

  15. Alternative channel (voice, push)

  16. How do you ensure high availability?

  17. Redis cluster (replicated)
  18. Multiple delivery providers

  19. Async delivery via queue

  20. What about TOTP vs random OTP?

  21. TOTP: No network needed, works offline
  22. Random OTP: Simpler, no app required