15

I am working on auto reading a login OTP on a mobile browser. My web application is built in Angular 7.

Once the user clicks on login, an OTP is sent via AWS to the user's mobile with a 6 digit code.

I have looked up Google's SMS Retriever API but it does not help my case.

Is reading an OTP from a mobile browser possible?

Steve Vinoski
  • 19,847
  • 3
  • 31
  • 46
Varun Joshi
  • 599
  • 2
  • 9
  • 24

4 Answers4

15

It is an old question, during the time when the question was posted, it was not possible.

But now we can read OTP on mobile browsers.

Using WEBOTP API we can detect the OTP on the web for mobile devices.

You can use the below code to check whether this work on your browser or not

if (!window.OTPCredential) {
  console.log('Feature Not Available');
}
else{
  console.log('Feature Available');
}

Note: If you are testing this on your laptop or desktop, then this above code will give you Feature Not Available. To test this over your laptop or desktop, you need to change the toggle to a mobile device.

SMS Receiver API JavaScript and Web OTP API W3C Community

You can get the documentation in the above link(s).

Before using OTPCredential, we need to have AbortController which will be used to disable WebOTP API (Auto read SMS) after some time (can be based on time or after reading the SMS).

 const ac = new AbortController();
 setTimeout(() => {
   ac.abort();
 }, 1 * 60 * 1000);

The WebOTP API will terminate after 1 minute in the above code.

You can have an HTML form of this type

<form action="/verify-otp" method="POST">
  <input type="text"
         inputmode="numeric"
         autocomplete="one-time-code"
         pattern="\d{6}"
         required>
</form>

Now, the format for your SMS that will be received by the user on their mobile devices will be as below.

@BOUND_DOMAIN #OTP_CODE

Where the above line can be the last line of your SMS.

  • @BOUND_DOMAIN will your website domain like @www.examle.com
  • #OTP_CODE will be the OTP for authentication like #1234(Keep it 4 to 6 digits only.)

Thus the SMS format will be something like this:

Hi User, please do not share your OTP with anyone.
@www.example.com #123456

To invoke the WebOTP API we need to know Web Authentication API.

 navigator.credentials.get([options])

The above code is required to invoke the WebOTP API

 navigator.credentials.get({
      otp: { transport:['sms'] },
      signal: ac.signal //This is from the AbortController
 }).then(otp => {
      input.value = otp.code;
      // Automatically submit the form when an OTP is obtained.
 }).catch(err => {
      console.log(err);
 });

Now, below is the demo code:

HTML code:

<form action="/verify-otp" method="POST">
  <input type="text"
         inputmode="numeric"
         autocomplete="one-time-code"
         pattern="\d{6}"
         required >
</form>

JavaScript Code:

if ('OTPCredential' in window) {
  window.addEventListener('DOMContentLoaded', e => {
    const input = document.querySelector('input[autocomplete="one-time-code"]');
    if (!input) return;
    // Cancel the Web OTP API if the form is submitted manually.
    const ac = new AbortController();
    const form = input.closest('form');
    if (form) {
      form.addEventListener('submit', e => {
        // Cancel the Web OTP API.
        ac.abort();
      });
    }
    // Invoke the Web OTP API
    navigator.credentials.get({
      otp: { transport:['sms'] },
      signal: ac.signal
    }).then(otp => {
      input.value = otp.code;
      // Automatically submit the form when an OTP is obtained.
      if (form) form.submit();
    }).catch(err => {
      console.log(err);
    });
  });
}

SMS Format could be like this:

Hi, this is a demo OTP
@www.mydomain.com #1234



Companies like OYO(There Tech Blog) use this feature.

NOTE- It is in the development phase as of now and available from Chrome 78

UPDATE 2020
From Chrome 84 it is officially launched. But still, many improvements are on their way.

Not A Bot
  • 2,474
  • 2
  • 16
  • 33
  • Does the API have access to the entire SMS inbox or how does that work? like if I have to relate in terms of reading cookies which is based on the domain...so what access does the API get ? – copenndthagen Dec 20 '19 at 07:11
  • Chrome 81 is there but i think it is not launched? – Asfar Irshad Apr 22 '20 at 12:33
  • @AsfarIrshad It is launched a way back, I suppose in chrome 78(for mobile devices), but the support is limited – Not A Bot Apr 22 '20 at 12:54
  • @testndtv user needs to provide one-time permission to access the SMS, thus then the browser(the web app in the browser) will detect the SMS accordingly, and will fill the OTP section automatically. – Not A Bot Apr 22 '20 at 12:58
  • On browsing through their web it is written launch not started, can anyone have some confirmation? – Asfar Irshad Apr 22 '20 at 16:44
  • @NotABot But the question is there might be like 100s of SMSes in the user's inbox...How does the API read? Does it get access to all the messages and how does it parse the OTP (based on recent msg, etc ?) – copenndthagen Apr 23 '20 at 06:04
  • @AsfarIrshad Yes you are correct, maybe the launch is delayed but the beta is still supported incorrect and some previous chrome versions. When I wrote this answer I suppose that was what told to be browser in which this API will be launched. Now it is delayed to Chrome 81. – Not A Bot Apr 24 '20 at 04:44
  • @testndtv The JSON object from that browser fetch from the user's SMS box must have some type of key **"OTP"** and some other keywords that your web app has set, such as ``"myApp": "My Test APP"``. Like this browser only fetch that OTP which matches these criteria, But this method has limitation that HACKER man mimics this and can get OTP of the user. – Not A Bot Apr 24 '20 at 04:50
  • Sounds good....last question; Any working example for reference would be great... – copenndthagen Apr 24 '20 at 04:56
  • @testndtv Yes(I suppose, as I used this before writing this answer. ), on the mobile version of swiggy.com You can check this(PS- It works only in India) – Not A Bot Apr 24 '20 at 04:58
  • 1
    @testndtv https://web.dev/web-otp/ here you will get code and a good explanation of it how it is working. – Not A Bot Apr 24 '20 at 05:03
  • @HalfWebDev The Chromium-based browsers have support, for non-chromium based browser scope is limited, you need to dig down to see which all browsers have support for it. – Not A Bot Oct 30 '20 at 07:11
13

Yes, this is possible now. Chrome release this feature in version 84 and above. With the help of WEBOTP API we can detect OTP on the web for mobile devices.

code -

if ('OTPCredential' in window) { 
  window.addEventListener('DOMContentLoaded', e => {
    const ac = new AbortController();
    navigator.credentials.get({
      otp: { transport:['sms'] },
      signal: ac.signal
    }).then(otp => {
      alert(otp.code)
    }).catch(err => {
      console.log(err)
    });
  })
} else {
  alert('WebOTP not supported!.')
}

SMS Format-

@www.amazon.com #1598.

Here @www.amazon.com is the domain where verification will take place and 1598 is the otp

Demo link- https://jyotishman.github.io/webOTPAPI/

jyotishman saikia
  • 2,079
  • 1
  • 15
  • 11
  • 1
    Nice! Here is the official Google's page also https://web.dev/web-otp/ – menepet May 31 '21 at 09:58
  • I get missing typings in angular with typescript. – Harkirat singh Jun 28 '22 at 11:51
  • I don't see the url in the SMS now. Answer needs update. `349340 is the OTP for Trxn. of Rs. 351.00 at Xyz co P with your credit card ending 56. OTP is valid for 10 mins. Do not share it with anyone - SBI Card` sample sms. Maybe need to specify sender IDs? Or a template and the service looks for it in the SMS recd withih a few minutes of lookup – tgkprog May 14 '23 at 04:01
0

Any kind of browser is restricted to access browser data only. It is for security purpose. As website running in browser has no access outside browser, you can not access OTP received on mobile in website.

General thumb rule is websites can not access file system hence any functionality outside browser is forbidden.

If you are building a native app then you can access it via permissions.

Plochie
  • 3,944
  • 1
  • 17
  • 33
0

In Short it is not possible. As mobile can't access the File system. Use react native or any similar.

As i saw while searching for the issue i found "https://web.dev/web-otp/". It might help but i have not implemented it yet.

Himanshu Patni
  • 183
  • 7