Skip to main content

OTP — second-factor entry

A 6-digit one-time-password page that appears between Login and Spaces when OTP is enabled for the Consumer.

When the user sees this page

OTP is decided per Consumer class — system-registered (invited from /org) and outside-registered (used /registration) toggle independently, so OTP can be required for one class, both, or neither.

Where that decision comes from depends on the deployment:

DeploymentOTP authority
Partner-integrated (the login surface is bound to a tenant by its request Origin)The tenant contract policy — otpInsideRegistration for system-registered Consumers, otpOutsideRegistration for outside-registered. Enforced on every login, with no extra round-trip.
First-party (no tenant contract)The /org/system/settings-consumerConsumer Login toggles: Use OTP Login for system registered users and Use OTP Login for outside registered users.

The contract policy takes precedence when present; the /org toggles are the first-party fallback.

What's on the page

  • 6-digit code input — one box per digit.
  • Sign In button — confirms the entered code.
  • "Go back and Sign In" link — returns to /login (e.g. if the user picked the wrong account).
  • Theme toggle in the corner.

Code lifetime

  • The code is short-lived and single-use — it expires a short time after generation.
  • After expiry, the user has to start over from the Login page.

The expiry window is short by design — it keeps stolen codes useless quickly. Keen's user guide documents a 2-minute window from generation, but that figure isn't pinned in the code-level engine reference, so confirm the precise window against your deployment rather than relying on a fixed value. (Note: the 10-minute lifetime that appears elsewhere is the partner registration claim/redeem token, a different artifact from this sign-in code.)

What happens on success

User lands on / — the Spaces page.