Rela AIRela AI Docs
Security

OTP Code Verification

OTP verification adds a second security layer to the authentication process. After identifying themselves, the user receives a 6-digit code on their phone or email that they must enter to complete access.

OTP Code Verification

A password can be leaked. An employee number can become known. But the user's phone is theirs — no one else has it. OTP verification (one-time code) takes advantage of this: after the user identifies themselves, the system sends a 6-digit code to their phone or email that expires in 5 minutes. Without that code, there is no access, even if someone knows the identifying data.

What is it for?

OTP verification is the second security layer that protects especially sensitive information. While basic authentication verifies "are you who you say you are?", OTP adds "do you have access to the registered device?"

Use it when the agent handles:

  • Payroll and salary data
  • Financial or accounting information
  • Medical or personnel records
  • Client or contract data that should not be shared

How does it work?

The process activates after basic authentication when the "Require OTP" option is enabled:

  1. The user provides their identifying data (employee number, ID, etc.)
  2. The system finds the record and generates a random 6-digit code
  3. It sends the code to the WhatsApp number or email registered in the user's profile
  4. The agent asks the user to enter the received code
  5. The user enters the code
  6. If correct, they are authenticated with full access to their data

The code has multiple security protections:

  • Expires in 5 minutes — a code obtained cannot be used hours later
  • Maximum 3 attempts — if failed 3 times, the process must be restarted
  • Single use — once verified, the code cannot be used again
  • Stored as a hash — if someone accesses the database, they cannot read the code in plain text

How to use it?

Activate OTP on the authentication tool

  1. Go to the agent's authentication tool (Authenticate conversation).
  2. Enable the Require OTP option.
  3. Configure where the user's phone number comes from:
    • For OTP via WhatsApp: the record field containing the phone number (e.g., "phone" or "mobile" field)
    • For OTP via email: the record field containing the email (e.g., "corporate_email" field)

If the record has both fields configured, the system automatically selects the available channel based on the user's data.

User experience with OTP activated

Example conversation:

User → Agent: "I want to check my pay stub for this month."

Agent → User: "To verify your identity, what is your employee number?"

User → Agent: "My number is 4721."

Agent → User: "I found your record. We sent a verification code to the number ***78 registered in your profile. Please enter the code (expires in 5 minutes)."

User → Agent: "The code is 483921."

Agent → User: "Identity verified. Your March 2026 pay stub was for $18,400. [pay stub details...]"

What happens if the code fails

If the user enters an incorrect code, the agent informs how many attempts remain:

  • First failed attempt: "Incorrect code. You have 2 attempts remaining."
  • Second failed attempt: "Incorrect code. You have 1 attempt remaining."
  • Third failed attempt: "Incorrect code. For security, the verification process was cancelled. Message me again to restart."

After exhausting attempts, the user must start the authentication process from scratch.

What happens if the code expires

If more than 5 minutes pass since the code was sent, when the user tries to enter it the agent responds: "The code has expired. Please message me again and I will send you a new one."

Key benefits

  • Second security layer protecting against credential theft
  • The code expires in 5 minutes — captured credentials have no lasting value
  • 3-attempt limit protecting against brute force attacks
  • Compatible with WhatsApp and email depending on data availability
  • Transparent process for the user — they receive the code on their usual channel
  • Secure code storage — never in plain text in the database

Common use cases

Scenario 1: Protecting salary queries An HR employee configures the payroll agent with mandatory OTP. When employee 4721 queries their pay stub, the system sends the code to their registered phone. Even if someone else knew employee number 4721, without that person's phone they cannot access their payroll data.

Scenario 2: Access to client contracts A service company configures OTP by email for the client agent. When a client tries to query their contracts, the system sends the code to their registered corporate email. This guarantees that only someone with access to the client's corporate email can see the information.

Scenario 3: Unauthorized access attempt A malicious user obtains another person's employee number and tries to access the agent. They provide the correct employee number. The system sends the OTP to the legitimate employee's phone — who receives the unexpected code and knows someone tried to access their information. The attacker does not have the employee's phone, cannot enter the code, and access is denied.

Conversation Authentication

Conversation authentication allows the agent to verify the user's identity before responding with sensitive information. The agent requests an identifying piece of data and validates the user against a configured database.

Session Inactivity Timeout

Authenticated sessions in conversations automatically expire after a period of inactivity and have an absolute 24-hour limit. This prevents a session from remaining open indefinitely.

On this page

OTP Code VerificationWhat is it for?How does it work?How to use it?Activate OTP on the authentication toolUser experience with OTP activatedWhat happens if the code failsWhat happens if the code expiresKey benefitsCommon use cases