Email OTP – shortcodes instead of passwords (Pro)

Email OTP (one-time password) lets users log in or sign up with a short numeric code sent to their inbox. Instead of typing a password, they:

1. Enter their email address on your login/checkout/comment form.

2. Receive a one-time code by email.

3. Enter the code to finish logging in.

You control code length, expiry, throttling, and whether new accounts can be created with OTP.

---

1. Requirements

Before enabling Email OTP:

• VentraConnect Social Login Pro add-on is installed and activated.

• Outgoing email works on your site (WordPress can send emails reliably).

• You’ve set up at least one login surface where OTP will appear:

  • WordPress login / register forms, and/or

  • WooCommerce login / checkout, and/or

  • Membership / LMS login forms, and/or

  • Comments (if you’ve enabled comment login integration).

Tip: If normal WordPress emails (lost password, new user, etc.) aren’t being delivered, fix that first (SMTP plugin or transactional email service) before rolling out OTP.

---

2. Enabling Email OTP login

1. In the WordPress admin, go to VentraConnect → Login methods.

2. In the left sidebar list, click OTP (Email).

3. In the Settings panel:

   • Toggle Active to On.

4. Click Save Changes at the bottom of the screen.

Once active, Email OTP will appear anywhere you’ve enabled passwordless / method buttons (login forms, WooCommerce, comments, etc.) according to your placement settings.

---

3. Code length, expiry, and throttling

Still on the OTP (Email) settings page:

Code length (4–8 digits)

• Field: Code length (4–8)

• Controls how many digits each OTP code contains.

Guidelines:

• 4–5 digits – Faster to type on mobile, but easier to guess.

• 6 digits – Good balance for most sites.

• 7–8 digits – Stronger, but slightly more friction.

Recommendation: Use 6 digits unless you have a strong reason to go shorter or longer.

---

Expiry (minutes)

• Field: Expiry (minutes)

• Controls how long a code stays valid after it’s generated.

When the expiry time passes:

• The code is treated as expired.

• The user will see an “expired code” error and must request a new OTP.

Guidelines:

• 5–10 minutes – Good default for most sites.

• 2–3 minutes – More aggressive security, but more chance of timeouts on slow email.

• 15+ minutes – Only if you know your email delivery is very slow.

Recommendation: Start with 10 minutes, adjust later if users complain about codes timing out.

---

Resend throttling & attempt limits

• Field: Resend throttle (sec) – how many seconds to wait before the same user can request another code.

• Field: Max attempts – maximum number of times a code can be tried before it’s locked.

Behaviour:

• While the throttle window is active, repeated resend requests for the same OTP will be rejected.

• Once max attempts is reached, the current code is no longer accepted. The user must request a new OTP.

Guidelines:

• Resend throttle:

  • 30–60 seconds is usually enough to stop spammy clicks without annoying real users.

• Max attempts:

  • 3–5 attempts per code is a good starting point.

Recommendation: Start with Resend throttle = 60 and Max attempts = 5.

---

4. Registration mode: who can use OTP?

Email OTP can either:

• Allow new account creation, or

• Only allow existing users to log in.

On the OTP (Email) settings page, find Registration mode:

• Login & Register (default)

  • If the email address does not match an existing user, VentraConnect can create a new account.

  • Good for stores and apps where you encourage quick sign-ups.

• Login only (existing users)

  • If the email doesn’t already exist as a user, the login will fail.

  • Use this on sites where registration is controlled elsewhere (e.g. closed membership sites).

Choose the option that matches your account policy. This is one of your key guardrails for user creation.

---

5. Redirect behaviour (where users land after OTP)

OTP can use the same redirect rules as your other login methods.

On the OTP settings page:

1. Find the Redirect override section.

2. Options typically include:

   • Return to previous page (default) – best for comments and blog logins.

   • Go to site homepage – useful for very simple sites.

   • Go to account / dashboard page – ideal for WooCommerce / membership dashboards.

   • Custom URL – send everyone to a specific URL.

Recommendation:

• For blogs / content sites, “Return to previous page” is best.

• For stores / membership / LMS, use “Account / dashboard page” or a custom dashboard URL.

---

6. Customizing the OTP email

You can tailor the OTP email so it matches your brand and explains clearly what to do.

On the OTP settings page, look for Email sender and Email template fields:

• Email sender

  • Overrides the “From” name for OTP emails (e.g. “Your Store Login”).

  • If left empty, WordPress’s default sender is used.

• Email subject

  • Short, clear subject line such as:

    • Your login code for {site_name}

    • Your {site_name} OTP: {otp_code} (only if you’re comfortable putting the code in the subject).

• Email body

  • This supports simple tags, for example:

    • {otp_code} – the user’s one-time code.

    • {expires_in} – how many minutes until the code expires.

    • {user_email} – the email address the code was sent to.

    • {site_name} – your site’s name.

Suggested starting template:

Subject:
Your login code for {site_name}

Body:
Hi,

Here is your one-time login code for {site_name}:

{otp_code}

This code will expire in {expires_in} minutes. If you did not request this code, you can safely ignore this email.

Thanks,
{site_name}

Keep it plain text or simple HTML – this reduces spam filtering problems and makes it easy to read on mobile.

---

7. Preview & test

Before rolling OTP out to real users, test it end-to-end.

1. On the OTP settings page, look for Preview & test.

2. Update the button label if needed (e.g. “Continue with Email OTP”).

3. Click the Send test button:

   • Enter an email address you control.

   • Make sure you receive the email promptly.

   • Check that the subject, body, and tags ({otp_code}, {expires_in}, etc.) render correctly.

4. Go to your site’s login form and perform a full flow:

   • Request a code.

   • Enter it correctly (verify successful login).

   • Try an expired or reused code (verify you see an error and cannot log in).

If emails are slow or missing, fix deliverability first (SMTP / transactional service) before enabling OTP for users.

---

8. Where OTP appears (forms & placements)

Email OTP reuses the same placement system as your other methods:

• If you’ve enabled passwordless control for a form, and OTP is active, users will see:

  • Social Login buttons, plus

  • Magic Link, plus

  • Email OTP, depending on what’s enabled.

Common places:

• WordPress wp-login.php – if Social/Passwordless is enabled there.

• WooCommerce – login, registration, checkout, and “My Account” screens, according to your WooCommerce integration settings.

• Membership / LMS plugins – when their integration toggles are enabled.

• Comments – if you’ve enabled “Login to comment” and allowed OTP for comments.

If OTP isn’t showing where you expect:

1. Confirm OTP is Active.

2. Confirm the relevant integration (WooCommerce, membership, LMS, comments) is enabled.

3. Check your passwordless modes and per-form rules – strict modes can block certain methods on some forms.

4. Clear caches if you’re using a caching plugin.

---

9. Safety notes & best practices

• Keep code length ≥ 6 and max attempts reasonable.

• Don’t set expiry longer than you need – shorter windows reduce risk if an email account is compromised.

• If you disable OTP later, users will still be able to sign in via other enabled methods (Social, Magic Link, normal password).

• For high-value admin accounts, keep passwords and 2FA in place – treat OTP as an end-user convenience, not an admin-only method.