{"id":293600,"date":"2026-04-17T10:57:32","date_gmt":"2026-04-17T10:57:32","guid":{"rendered":"https:\/\/wordpress.org\/plugins\/securepass-otp\/"},"modified":"2026-04-17T11:22:06","modified_gmt":"2026-04-17T11:22:06","slug":"rishav-authnova-otp","status":"publish","type":"plugin","link":"https:\/\/wordpress.org\/plugins\/rishav-authnova-otp\/","author":23442418,"comment_status":"closed","ping_status":"closed","template":"","meta":{"version":"1.0.0","stable_tag":"1.0.0","tested":"6.9.4","requires":"5.8","requires_php":"7.4","requires_plugins":null,"header_name":"Rishav AuthNova OTP","header_author":"trustedengineering","header_description":"OTP verification for WordPress login, registration, and password reset with email and SMS delivery.","assets_banners_color":"","last_updated":"2026-04-17 11:22:06","external_support_url":"","external_repository_url":"","donate_link":"","header_plugin_uri":"https:\/\/rishav.dev\/plugins\/rishav-authnova-otp","header_author_uri":"https:\/\/rishav.dev","rating":0,"author_block_rating":0,"active_installs":0,"downloads":197,"num_ratings":0,"support_threads":0,"support_threads_resolved":0,"author_block_count":0,"sections":["description","installation","faq","changelog"],"tags":{"1.0.0":{"tag":"1.0.0","author":"rishav001","date":"2026-04-17 11:22:06"}},"upgrade_notice":{"1.0.0":"<p>Initial stable release.<\/p>"},"ratings":[],"assets_icons":{"icon.svg":{"filename":"icon.svg","revision":3505367,"resolution":false,"location":"assets","locale":false}},"assets_banners":[],"assets_blueprints":{},"all_blocks":[],"tagged_versions":["1.0.0"],"block_files":[],"assets_screenshots":[],"screenshots":{"1":"Admin settings page for OTP rules and providers.","2":"OTP verification screen during login.","3":"OTP-gated registration and password reset flows."}},"plugin_section":[],"plugin_tags":[18971,1229,9210,711,9217],"plugin_category":[41],"plugin_contributors":[260441],"plugin_business_model":[],"class_list":["post-293600","plugin","type-plugin","status-publish","hentry","plugin_tags-email-verification","plugin_tags-login-security","plugin_tags-otp","plugin_tags-sms","plugin_tags-two-factor","plugin_category-communication","plugin_contributors-rishav001","plugin_committers-rishav001"],"banners":[],"icons":{"svg":"https:\/\/ps.w.org\/rishav-authnova-otp\/assets\/icon.svg?rev=3505367","icon":"https:\/\/ps.w.org\/rishav-authnova-otp\/assets\/icon.svg?rev=3505367","icon_2x":false,"generated":false},"screenshots":[],"raw_content":"<!--section=description-->\n<p>Rishav AuthNova OTP adds a one-time-password verification layer to core WordPress authentication flows.<\/p>\n\n<p>Features include:<\/p>\n\n<ul>\n<li>Configurable OTP length and charset (numeric or alphanumeric)<\/li>\n<li>OTP expiry and retry limits with temporary lockouts<\/li>\n<li>Login OTP verification step (after password check)<\/li>\n<li>OTP-gated registration flow<\/li>\n<li>OTP-gated password reset flow<\/li>\n<li>Delivery via wp_mail, SendGrid, and Twilio<\/li>\n<li>OTP storage using hashes (never plaintext)<\/li>\n<li>Resend OTP with cooldown and challenge rotation<\/li>\n<\/ul>\n\n<p>Security highlights:<\/p>\n\n<ul>\n<li>OTP values are hashed before storage and are never saved as plaintext<\/li>\n<li>OTP hashes use keyed HMAC storage and constant-time verification<\/li>\n<li>OTP challenges expire automatically and enforce retry limits per challenge<\/li>\n<li>Request throttling applies cooldown and exponential backoff per IP and identifier<\/li>\n<li>Lockout windows reduce repeated invalid OTP submissions<\/li>\n<li>Nonces are applied on sensitive form submissions<\/li>\n<li>Public auth responses are intentionally generic to reduce account-enumeration leakage<\/li>\n<li>Delivery uses synchronous-first send with bounded async retry fallback and challenge-level delivery status tracking<\/li>\n<\/ul>\n\n<p>Security limitations:<\/p>\n\n<ul>\n<li>This plugin does not replace passwords, HTTPS, WAF\/rate-limiting at the edge, or secure hosting controls<\/li>\n<li>OTP delivery depends on the configured email\/SMS provider uptime and deliverability<\/li>\n<li>Administrators should combine this plugin with standard WordPress hardening and monitoring<\/li>\n<\/ul>\n\n<p>Reliability notes:<\/p>\n\n<ul>\n<li>OTP delivery is attempted synchronously first to reduce silent failures<\/li>\n<li>If synchronous delivery fails and background delivery is healthy, the plugin schedules bounded retries<\/li>\n<li>If background delivery is unhealthy (for example DISABLE_WP_CRON), fallback queueing is skipped and users receive a retry-safe error<\/li>\n<li>Resend cooldown state is server-authoritative and exposed through a status endpoint used by frontend countdown UX<\/li>\n<li>Background queue payload contains only challenge ID (no raw OTP or destination data)<\/li>\n<\/ul>\n\n<h3>External Services<\/h3>\n\n<p>This plugin can connect to third-party services to deliver OTP messages. These services are optional and only used if enabled in plugin settings.<\/p>\n\n<h4>Twilio (SMS Delivery)<\/h4>\n\n<ul>\n<li>Service: Twilio Programmable Messaging API<\/li>\n<li>Purpose: Send OTP codes by SMS<\/li>\n<li>Data sent: destination phone number, sender phone number, OTP message text, account SID for authentication<\/li>\n<li>Credential handling: Twilio credentials are stored in WordPress options and used only when sending OTP messages<\/li>\n<li>When sent: when OTP delivery method includes SMS and an OTP is generated for login, registration, password reset, or resend<\/li>\n<li>Why sent: to deliver time-sensitive OTP codes to the user by SMS<\/li>\n<li>Terms of Service: https:\/\/www.twilio.com\/legal\/tos<\/li>\n<li>Privacy Policy: https:\/\/www.twilio.com\/en-us\/legal\/privacy<\/li>\n<\/ul>\n\n<h4>SendGrid (Email Delivery)<\/h4>\n\n<ul>\n<li>Service: SendGrid Mail Send API<\/li>\n<li>Purpose: Send OTP codes by email<\/li>\n<li>Data sent: recipient email address, sender email\/name, message subject, OTP message body, API key for authentication<\/li>\n<li>Credential handling: SendGrid API key is stored in WordPress options and used only when sending OTP messages<\/li>\n<li>When sent: when email provider is set to SendGrid and an OTP is generated for login, registration, password reset, or resend<\/li>\n<li>Why sent: to deliver time-sensitive OTP codes to the user by email<\/li>\n<li>Terms of Service: https:\/\/sendgrid.com\/policies\/terms\/<\/li>\n<li>Privacy Policy: https:\/\/sendgrid.com\/policies\/privacy\/<\/li>\n<\/ul>\n\n<h3>Configuration<\/h3>\n\n<ol>\n<li>Set OTP length, type, expiry, retry limit, and lockout duration.<\/li>\n<li>Choose delivery method: Email, SMS, or Both.<\/li>\n<li>Configure provider credentials for SendGrid and\/or Twilio if needed.<\/li>\n<li>Enable or disable OTP on login, registration, and password reset flows.<\/li>\n<\/ol>\n\n<!--section=installation-->\n<ol>\n<li>Upload the plugin folder to \/wp-content\/plugins\/.<\/li>\n<li>Activate the plugin through the Plugins screen in WordPress.<\/li>\n<li>Go to Settings &gt; OTP Authentication.<\/li>\n<li>Configure OTP rules and delivery providers.<\/li>\n<\/ol>\n\n<!--section=faq-->\n<dl>\n<dt id=\"does%20this%20plugin%20store%20otp%20values%20in%20plain%20text%3F\"><h3>Does this plugin store OTP values in plain text?<\/h3><\/dt>\n<dd><p>No. OTP values are hashed before storage and verified using hash comparison.<\/p><\/dd>\n<dt id=\"can%20i%20use%20sms%20delivery%3F\"><h3>Can I use SMS delivery?<\/h3><\/dt>\n<dd><p>Yes. Twilio is supported for SMS delivery.<\/p><\/dd>\n<dt id=\"can%20i%20use%20email%20api%20delivery%3F\"><h3>Can I use email API delivery?<\/h3><\/dt>\n<dd><p>Yes. SendGrid API is supported, and wp_mail is available as a fallback.<\/p><\/dd>\n<dt id=\"does%20this%20work%20with%20the%20default%20wp-login.php%20flow%3F\"><h3>Does this work with the default wp-login.php flow?<\/h3><\/dt>\n<dd><p>Yes. The plugin integrates with WordPress login, registration, and lost-password actions.<\/p><\/dd>\n<dt id=\"what%20user%20field%20is%20used%20for%20phone%20numbers%3F\"><h3>What user field is used for phone numbers?<\/h3><\/dt>\n<dd><p>By default, the plugin reads phone_number user meta. You can change the meta key in plugin settings.<\/p><\/dd>\n\n<\/dl>\n\n<!--section=changelog-->\n<h4>1.0.0<\/h4>\n\n<ul>\n<li>Initial release.<\/li>\n<li>Added OTP flows for login, registration, and reset.<\/li>\n<li>Added SendGrid and Twilio integrations.<\/li>\n<li>Added resend cooldown UX and secure challenge rotation.<\/li>\n<li>Added configurable OTP policy controls in the admin settings page.<\/li>\n<\/ul>","raw_excerpt":"OTP verification for WordPress login, registration, and password reset using email and SMS delivery.","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin\/293600","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin"}],"about":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/types\/plugin"}],"replies":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/comments?post=293600"}],"author":[{"embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wporg\/v1\/users\/rishav001"}],"wp:attachment":[{"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/media?parent=293600"}],"wp:term":[{"taxonomy":"plugin_section","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_section?post=293600"},{"taxonomy":"plugin_tags","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_tags?post=293600"},{"taxonomy":"plugin_category","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_category?post=293600"},{"taxonomy":"plugin_contributors","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_contributors?post=293600"},{"taxonomy":"plugin_business_model","embeddable":true,"href":"https:\/\/wordpress.org\/plugins\/wp-json\/wp\/v2\/plugin_business_model?post=293600"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}