Refresh OTP
- Silva, Carlos
Contents
Problem description
During phase 1 of the RBIberia Loyalty migration, both the Airtouch and Homeria apps will start using RBI’s dynamic One-Time Passcodes (OTP) to sign users into the Kiosk or POS.
There is one scenario where the current implementation of the OTP authentication process will result in guests seeing an error:
Guest opens the QR code page on the app
Guest scans the QR code using the Kiosk or POS scanner
Guest then scans the QR code a second time
Guest sees an error
This error occurs because the RBI platform does not allow the same QR code to be used twice (for security purposes), and as such it will return with an error.
Solution
How the RBI app works
The RBI apps solves this problem by automatically refreshing the OTP when the currently displayed OTP has already been used. Technically, this is accomplished by constantly polling the Get OTP endpoint to check if it has already been used, and if so, to call Create OTP again. This page documents the process, step by step.
Proposal for the Airtouch and Homeria apps
The proposed solution consists of asking the Airtouch and Homeria apps to replicate the process above.
There is a technical limitation in that the frequency of calls to the Get OTP endpoint is expected to be higher than what the Homeria infrastructure has been designed to support. To avoid performance and latency issues, we propose the following:
Calls to the Get OTP endpoint (and only the Get OTP endpoint) would be made directly to the RBI platform
This means that traffic would happen between the customer’s device and the RBI platform, without travelling through Homeria infrastructure
The solution above requires client apps to use a specific API key, which only allows access to the Get OTP endpoint for security reasons
This API key will only be used during the Loyalty migration, and deleted once the Airtouch and Homeria apps are no longer making requests to RBI’s Get OTP endpoint.