Sending One Time Password to Users to Improve Flow Security

Sending One Time Password to Users to Improve Flow Security

It is possible to use a Screen Flow to simplify the process of gathering data from your end users and enhance the user experience. Since it is possible to enhance Screen Flows with custom components and actions, they can be used almost for any request. Moreover, it is even possible to run them in system context, which bypasses the user's permissions. Although this option is beneficial for many use cases, it can also introduce risks, such as potential vulnerabilities or security concerns. Because of that, you should build your flows carefully and make sure that they are secure. Especially when you make the flow publicly accessible, this becomes more crucial. There are many different ways to improve flow security and one of them is sending one time password to users.

How to Generate One Time Password in Screen Flow

The main concept involves generating a short key (OTP) and sending it to the user's email, followed by prompting the user to enter the key.

There can be various workarounds to generate one time password (OTP) in screen flow. For instance, you can use this custom flow action to generate a random number.

Let's try another approach and use this action to hash a value and take the last 6 characters from the end. Since you want to generate a different password every time, you should hash a different value. For instance, you can hash the current date/time value.

Hash Text

Then, create a text formula to take the last 6 characters.

Formula to Generate an OTP

After this step, you have your one time password.

Sending One Time Password to User

Now, it is time for sending one time password to the user. If it is for a logged in user, then you can use the user global variable to find the user's email address ({!$User.Email}). However, if it is for a guest user, you need to identify the user somehow. For instance, if you have the customer's email on the account object, you can pass the account Id as a URL parameter.

After finding the user's email address, you should create a text template for sending the one time password to the user.

Text Template for Sending One Time Password

How to Verify the One Time Password

Now it is time to verify the one time password. Add a screen element with a text field, so that the user can enter the code. In order to improve the user experience, add a validation to verify the code on the same screen.

Verify the One Time Password

If the verification code (OTP) is not valid, the user will not be able to use the flow.



Flow is a very powerful automation tool, so it's crucial to build them carefully and ensure they're secure. There are various ways to enhance flow security, such as sending one time password to users.

Be the first to comment

Leave a Reply

Your email address will not be published.