Authentication SMS OTP Consent

In order to benefit from the SMS OTP Authentication and Consent, the Service Provider must provide the end-user’s mobile number in his API request. The mobile number must be encoded (see below) added to the request using the login_hint query_string parameter.

Creating the login_hint for SMS OTP Authentication and Consent:

The mobile number must be cyphered (see below) and before to be added in the request through the "login_hint" parameter.

The login_hint is formed with the user’s MSISDN and a timestamp. It then is encoded in AES-256-CB.

In order to be added into the URL, the login_hint must be URL encoded.

Encoding process:

MSISDN to encode:

msisdn: 33612345678

UNIX Timestamp in millisecondes (i.e. new Date().getTime();)

timestamp: 1453891409214

MSISDN et Timestamp in clear ( timestamp "_" msisdn) (ASCII):


Generation of a 128-bits Initialization Vector for each encoding:

(openssl rand -hex 16 )

Derivation of <key> from the <client_secret>:

key := bin_2_hexa( sha256( ascii_2_binary(<client_secret>) ) )
e.g. key = crypto.createHash("sha256").update(client_secret).digest();

Login_hint encoded in AES-256-CBC:

AES input (ASCII): "1453891409214_33612345678"
AES key (hexa): 617a65727479617a65727479617a65727479617a65727479617a65727479617a
AES IV (hexa): f672e6d89b73dbfb0b97cbe18f89c2ba
AES output (base64): CxaTp04yCdvx8JAqNHdGCK7GGObeGrGBCUvHtcXv1Nk=
openssl aes-256-cbc -v -a -K 617a65727479617a65727479617a65727479617a65727479617a65727479617a -iv f672e6d89b73dbfb0b97cbe18f89c2ba -in clear_1.txt -out cypher_base64_1.txt ; more clear_1.txt ; more cypher_base64_1.txt

Adding the Initialization Vector (de 128bits) to the encoded MSISDN in order to form the login_hint:


URL-encoded login_hint :


N.B.: Exemple of encoding javascript:

var cryptoModule = require('crypto'), //
       loginHint="msisdn_value", // A valoriser Exemple: 33112233445
       timestamp = new Date().toISOString(),
       iv = cryptoModule.randomBytes(16),
       key = cryptoModule.createHash("sha256").update("client_Secret").digest(); // Valoriser client_secret : password du partenaire
  console.log("key=" + key.toString('hex'));
  console.log("iv=" + iv.toString('hex'));
  var cryptoCipher = cryptoModule.createCipheriv("aes-256-cbc", key,iv),
       cypheredLoginHint = cryptoCipher.update(timestamp+"_"+loginHint,'utf8', 'base64') +'base64'),
       finalcypheredLoginHint = encodeURIComponent(iv.toString("hex")+"_"+cypheredLoginHint);
  console.log("cypheredLoginHint = " + cypheredLoginHint);
  console.log("finalcypheredLoginHint = " + finalcypheredLoginHint);

Your user will be prompted with a UI requesting a SMS-OTP he received on the MSISDN provided in the request. The SMS-OTP reads as follows: « Orange Info : Vous recevez ce code (CODE) car un partenaire d'Orange (CLIENT_NAME) a formulé une demande d'accès à vos données personnelles. »


As the Client is responsible for collecting and providing the MSISDN into the URL, it is his responsibility to ensure all antispam securities have been set in place in his application/service. If the Client’s application/service was to be used by a tier to perform an attack of the SMS-OTP authentication system, the service could be temporally suspended for that Client pending the deployment of upgraded securities.