Authentication and OTP

WhatsApp puts one-time passwords where people are already looking on mobile, cutting email delays and failed verifications. This workflow sends, verifies, and on failure retries or locks out, while keeping the CRM informed without turning security into a support ticket.

​

At a glance

​

What this workflow does

When a user requests a login or a step-up verification, an Authentication-category template delivers a single-use code with a copy-code button. A correct code passes. An incorrect entry triggers a fresh code and invalidates the old one. After the maximum number of attempts, the account is paused for a set period with a support hand-off, and every outcome is logged for investigation.

​

What you will need

• Authentication-category WhatsApp templates with an OTP block and copy-code button
• A code generator (your auth service or HubSpot) feeding the code at send time
• Properties to log attempts, outcomes, and lockouts for audit
• A support hand-off path for false positives

​

Workflow steps

1. Trigger a login or action request from your application.
2. Send code deliver tmpl_otp_code with a single-use code that expires in a few minutes.
3. Verify check the entered code against your auth service.
4. Branch, valid mark verified, log the success, and return the user to their action.
5. Branch, invalid send tmpl_otp_retry with a fresh code and invalidate the previous one. Rate-limit retries.
6. Lockout (fail closed) after the maximum attempts, send tmpl_otp_locked, pause sign-in for the set period, and offer support. Send an unlock confirmation when the window passes.
7. Audit log every send, attempt, and lockout against the contact.

​

WhatsApp templates

• tmpl_otp_code verification code with copy-code button (Authentication category)
• tmpl_otp_retry fresh code after a failed attempt (Authentication category)
• tmpl_otp_locked lockout and unlock messaging (Authentication category)

​

Tips and gotchas