Information Security

Android O to improve SMS authentication for apps

Android O security

One Time Passwords (OTPs) are a necessity in today’s technological society. They help to protect users from fraud and protect their accounts and private information through SMS authentication. The system requires some refinement when used with mobile devices, but Google may just be the company to achieve that.

With the release of Google’s Android O, the company looks to change the way that OTPs and SMS authentication are handled. The second developer preview, which released in May 2017, contains a slew of new application programming interface (API) code that facilitates OTPs.

What exactly is an OTP?

OTPs are unique codes used when a user logs on to the website or tries to access personal information. An OTP can be sent to a user via SMS, email, or through an automated phone call, though SMS is the most common method. Some companies, such as game developer and publisher Blizzard Entertainment, use proprietary physical devices for OTPs. It is more than likely you have already used an OTP for some system or another.

Ordinarily, OTPs require that a user has their phone on hand to receive the SMS authentication, which is then entered into the website requesting it. This is used to validate a user’s identity and the device being used. The codes are also time-based and unique, which means they will expire after a given amount of time. These restrictions are put in place to safeguard the user.

Users may find that using OTPs isn’t always easy as they have to switch through apps in order to receive the codes.

Android O’s new OTP APIs for SMS authentication

Google’s OTP APIs will eliminate the need for users to manually enter OTPs. In fact, it’s a solution that streamlines the security process overall.

Apps will be able to request an 11-digit code for OTP SMS authentication and will notify the Android operating system to keep an eye out for the code. When an SMS authentication message is received, the OS will read the message and send the code to the app. The SMS also won’t show up in the user’s inbox, leading to less clutter.

When logging into a banking app, for example, the process will be seamless with the user required to input their username and password. This means users will not need to be part of the actual OTP process, which in turn removes a security barrier from the process. Users also won’t be required to switch between the SMS app and the program needing a code.

For users that only use an app once or twice, they will not be required to grant the program full rights to read all of their SMSes to read a code, which is another benefit from the APIs.

Is this the future of security?

This is a step in the right direction and may just be the future of OTPs. It’s not only a more secure way for apps to interact with devices but a convenient one for users and companies as well.

Similarly, Google tackles OTPs by using Google Authenticator. The system generates a unique code which in turn is used on an app, like Bitcoin wallet Luno. The difference between this method and OTP is that no SMSes are sent, though anyone with access to your phone has access to Google Authenticator.


As technology evolves, so does the need for better security measures. For more information on OTPs and SMS authentication, take a look at our article on OTPs and the financial sector.

Explore other articles

Step into the future of business messaging.

SMS and two-way channels, automation, call center integration, payments - do it all with Clickatell's Chat Commerce platform.