Articles in this section
OTP Rules & Validation in Vtiger CRM
Table of Contents
Feature Availability
Vtiger Editions: One Pilot | One Growth | One Professional | One Enterprise | One AI
Introduction to OTP Rules
OTP - One Time Password (OTP) is a unique code that is an added security measure for your logins or financial transactions.
OTP Rules in Vtiger enable admins to set up rules requiring OTP-based verification for the CRM records. For example, a delivery company can configure OTP Rules to require verification before marking a Delivery Note as Delivered, ensuring that recipients confirm deliveries.
How do OTP Rules work
The OTP Rules Add-on enforces OTP validation for record-saving actions across various media, including (Webforms, Mailroom, saved from mobile app, created by Workflow, Process Designer or Approval, etc.).
Note: OTP Rules are not applicable to the import process.
Benefits
- Data Integrity: Ensures that only authenticated changes are made, maintaining data accuracy and reliability.
- Comprehensive Protection: Applies across web, mobile, APIs, and workflows for full coverage.
- Customer Trust: Enhances trust with customers by demonstrating robust security practices.
- Increased Customer Satisfaction: Prevents fraudulent updates by the field service team, ensuring that cases are only marked as resolved with actual service.
- This keeps customers from waiting unnecessarily and improves their overall experience.
- Saves Time: Reduces the need for manual follow-ups to rectify fraudulent updates, saving time and resources.
In this article, you will learn about:
- OTP Rules
- Installing and Accessing OTP Rules Add-on
- Creating and sending OTP Rules
- OTP verification and validation
Key Terminology
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Installing OTP Rules Add-on
OTP Rules is available as an Add-on in the Extension Store.
Follow the below steps to install the OTP Rules Add-on:
- Log in to your CRM account.
- Go to the Main Menu.
- Go to Add-ons.
- Search for OTP Rules.
- Click Install.
Accessing OTP Rules
After installing the Add-on, admin users will find OTP Rules under:
- Settings > Automation > OTP Rules.
- Main Menu > Essentials > Administration > OTP Rules.
Creating OTP Rules
To create a new rule, go to the OTP Rules module, click Add rule, and follow these steps:
Follow these steps to develop OTP Rules:
- Log in to the CRM.
- Go to the Main Menu.
- Go to Administration.
- Go to OTP Rules.
- Click Add OTP rules.
- Enter or select the following information:
- Details block
- Rule Name: Provide a unique name for the rule.
- Target Module: Select the module for which OTP verification is required.
- Applicable Profiles: Choose profiles for which OTP verification is required. Users of selected profiles will be prompted for OTP, while others can save without OTP.
- Allow sending OTPs for closed records: Enable this option if OTP verification is required when reopening a closed record.
- OTP Options block
- OTP Type: Select among numeric, alphabetic, or alphanumeric OTPs.
- OTP Length: Specify the number of characters for the OTP.
- Valid For: Set the duration for which the OTP is valid from when it is sent.
- OTP Resend: Choose whether to send a new OTP or resend the previously generated OTP if still valid.
- Max Resend Attempts: Define the maximum number of resend attempts within a specified time frame.
- Reset Resend Attempts After: Set the time frame after which resend attempts will be reset.
- Max Validation Attempts: Specify the maximum number of OTP validation attempts.
- Reset Validation Attempts After: Set the time frame after which validation attempts will be reset.
- Verification Trigger block
- Trigger Conditions: Define conditions under which OTP verification is required. Similar to workflows/processes, conditions can include has changed, has changed from, etc.
- Note: If the conditions match during record creation, saving will not be permitted. This is because OTP verification is required to save the record, but an OTP can only be sent once the record is saved.
- OTP Delivery block
- Channels: Choose the channels (email, SMS, WhatsApp) through which OTP will be sent.
- Recipient: Select the field to which OTP should be sent.
- Template: Choose a template for sending OTP.
- Provider: Choose the service provider for SMS and WhatsApp channels.
- Details block
- OTP will always be sent, even if the customer has opted out. To avoid sending automated OTPs to customers who have opted out, include conditions in Workflows or Processes to exclude them.
- Only templates with an OTP merge tag can be chosen in the template selection. For SMS and WhatsApp, only approved templates can be selected.
Sending an OTP
The OTP Rules feature does not send the OTP automatically. Instead, you must send them manually or automate the process using Workflows or Processes.
- Manual action
- Detail View or List View Mass Action: Select the Send OTP action, choose the rule, and send OTP.
- You can select a maximum of twenty records to send OTP.
- Automated
- Workflows/Processes: Set conditions for sending OTP and add Send OTP action.
OTP Verification
When trigger conditions are met, OTP Rules prevent the record from being saved without a valid OTP.
- Manual action
- Web/Mobile Client: Users are prompted to enter OTP when saving from the Detail or Edit view.
- API Save Request
- API Requests: Send the OTP value to the request header or data.
How do OTP Rules work for API Save Requests
When saving via APIs, OTP validation is required if the criteria match your configured OTP rule. In such cases, you must send the OTP value and the API request. Follow the below steps to send the OTP value with the API save request.
- Set up a Workflow to trigger the Send OTP action for the criteria that match API save conditions.
- Receive OTP via Email, SMS, or WhatsApp and save it.
- Send the OTP value with the API requests.
The accepted OTP format in APIs is OTPRULES_OTP_(rule id) or OTPRULES_OTP_(sanitized rule name), where all non-alphanumeric characters are removed from the rule name. For example, if the rule name is Test Rule 1 & Test 2 @ XYZ, it becomes TestRule1Test2XYZ.
You can include The OTP value in both request data and headers:
- Request data should be separated by underscores (for example, OTPRULES_OTP_(ruleid) or OTPRULES_OTP_(sanitized rule name)).
- Headers data should be separated by hyphens (for example, OTPRULES-OTP-(rule id) or OTPRULES-OTP-(sanitized rule name)).
Note: This is case insensitive, meaning the characters can be in upper case, lower case, or the same case as the name. Headers sent with underscores will be converted to hyphens server-side.
Points to remember:
- Ensure appropriate trigger conditions to prevent record save issues.
- OTP Rules don't lock records but prevent entering specified states without OTP verification.
OTP Validation
OTP Validation is a security process of verifying a One-Time Password (OTP) to confirm the authenticity of an action.
- Record Update: When a user tries to update a record, the system checks for matching OTP rules.
- If a matching rule is found, a popup prompts the user to enter the OTP.
- If multiple rules match, everything will be shown in the popup.
- Users can ask for the OTP to be resent if needed.
- The record is saved if the OTP is validated within the retry limit. Otherwise, an error is shown, and the record is not saved.
- API Save Requests: The system checks for matching OTP rules when saving records via API.
- The request data must include the OTP if a matching rule is found.
- If the OTP is missing or invalid, an error is thrown.
Limitations
- To avoid clutter, OTPs will not create separate Email, SMS, or WhatsApp records.
- For the List View, you can select ten records for the Send OTP action.
- Scheduled Workflows for OTP Rules are limited to processing 100 records per day.