SMS Phone Authentication Implementation for Websites
Authentication via SMS code (OTP) is standard for e-commerce, delivery services, and fintech on the Russian market. User enters phone number, receives a 4–6 digit code via SMS, enters it—authenticated. Password either absent or set separately after first login.
SMS Providers for Russia and CIS
| Provider | Features |
|---|---|
| SMSC.ru | Popular, HTTP API and SMPP |
| SMS.ru | Simple API, good delivery |
| Exolve (MTS) | Operator-level, virtual numbers |
| Infobip | International, expensive, reliable |
| Twilio | International, unavailable in RF without VPN |
| FirebaseSMS | Mobile apps, not web |
For most Russian web projects—SMSC.ru or SMS.ru.
Flow Architecture
1. POST /auth/phone/send-code { phone: "+79001234567" }
→ phone validation
→ OTP generation
→ save hash(OTP) to Redis with TTL 5 min
→ send SMS
→ response: { expires_in: 300 }
2. POST /auth/phone/verify { phone: "...", code: "123456" }
→ check OTP from Redis
→ create/find user
→ issue session or JWT
OTP Generation and Storage
class PhoneOtpService
{
public function sendOtp(string $phone): int
{
$this->checkRateLimit($phone);
$code = str_pad(random_int(0, 999999), 6, '0', STR_PAD_LEFT);
// Store hash, not the code
Cache::put(
"phone_otp:{$phone}",
[
'hash' => hash('sha256', $code),
'attempts' => 0,
],
now()->addMinutes(5)
);
$this->smsProvider->send($phone, "Your code: {$code}");
return 300; // expires_in seconds
}
public function verifyOtp(string $phone, string $code): bool
{
$data = Cache::get("phone_otp:{$phone}");
if (!$data) {
throw new OtpExpiredException();
}
// Limit attempts
if ($data['attempts'] >= 3) {
Cache::forget("phone_otp:{$phone}");
throw new OtpAttemptsExceededException();
}
if (!hash_equals($data['hash'], hash('sha256', $code))) {
Cache::put("phone_otp:{$phone}", array_merge($data, [
'attempts' => $data['attempts'] + 1,
]), now()->addMinutes(5));
return false;
}
Cache::forget("phone_otp:{$phone}");
return true;
}
}
Rate Limiting
// No more than 3 SMS per hour from one number
RateLimiter::for('sms-otp', function (Request $request) {
return [
Limit::perHour(3)->by('phone:' . $request->phone),
Limit::perMinute(1)->by('phone:' . $request->phone),
];
});
Phone Number Normalization
use libphonenumber\PhoneNumberUtil;
$phoneUtil = PhoneNumberUtil::getInstance();
$parsed = $phoneUtil->parse($rawPhone, 'RU');
if (!$phoneUtil->isValidNumber($parsed)) {
throw new InvalidPhoneNumberException();
}
$normalized = $phoneUtil->format($parsed, \libphonenumber\PhoneNumberFormat::E164);
// +79001234567
Library giggsey/libphonenumber-for-php is a PHP port of Google's libphonenumber.
SMSC.ru Integration
class SmscProvider implements SmsProviderInterface
{
public function send(string $phone, string $text): void
{
$response = Http::get('https://smsc.ru/sys/send.php', [
'login' => config('sms.smsc_login'),
'psw' => config('sms.smsc_password'),
'phones' => $phone,
'mes' => $text,
'fmt' => 3, // JSON
]);
$data = $response->json();
if (isset($data['error'])) {
Log::error('SMSC error', ['code' => $data['error_code'], 'message' => $data['error']]);
throw new SmsDeliveryException($data['error']);
}
}
}
User Creation on First Login
public function authenticate(string $phone): User
{
return User::firstOrCreate(
['phone' => $phone],
[
'phone_verified_at' => now(),
'name' => 'User',
]
);
}
UX Details
- Show countdown timer until resend is possible
- Autofocus on code field after sending
- Autosubmit on last digit (for 6-digit code)
- "Change number" button—ability to go back
Work Timeline
| Stage | Time |
|---|---|
| OTP service + Redis | 1 day |
| SMS provider integration | 0.5 day |
| API endpoints + rate limiting | 0.5 day |
| Frontend flow (form + timer) | 1 day |
| Tests + edge cases | 1 day |
Total: 4–5 days.