Midtrans Hackaton 2018 - Verifying payment without internet
last month, I had the opportunity to participate in an internal hackathon at Midtrans, shortly after its acquisition by Gojek. my team, consisting of three members (shout out to my amazing colleagues Andri & Azhar), built a mobile application named ‘GoAuth’ for GoPay merchants. This app enabled them to verify whether they received payment from customers through scanning a static GoPay QR code, without needing an internet connection.
Our concept was inspired by Google’s One-Time Password (OTP) authentication, where an OTP is generated based on a specific salt string to produce a six-digit number code. This code is valid for a certain timeframe and its generation doesn’t require an internet connection. The generated OTP is then validated on the server using the same salt string. This was the inspiration we used to address the problem faced by small street merchant, who often lack a reliable internet connection or have to wait for an SMS to confirm a payment, as well it can be alternative approach that more cost efficient for gopay compare to sending SMS.
sequenceDiagram
participant U as User
participant P as Third Party Provider
participant D as User Device
U->>P: Register Device & Retrieve Secret Key
U->>D: Enter Secret Key in Google Authenticator
D->>D: Generate OTP based on Secret Key and Current Time
U->>P: Submit OTP for Authentication
P->>U: Confirm Authentication
Here’s how we adapted this approach for GoAuth: #
Merchant’s Secret Key: Every merchant has a secret key (salt) stored on the GoPay server (assume merchant has done the onboarding). This key is used to generate the OTP.
Device Authorization: Before using GoAuth, merchants need to authorize their device to retrieve the secret key for generating the OTP. This is a one-time operation that does require an internet connection.
sequenceDiagram
participant M as Merchant
participant A as GoAuth App
participant S as GoPay Server
M->>A: Open GoAuth App to Configure
A->>M: Prompt for Merchant Credentials
M->>A: Provide Merchant Credentials
S->>A: Merchant Authorized
A->>S: Initiate Configuration
A->>S: Retrieve Merchant Secret Key
S->>A: Provide Merchant Secret Key
A->>A: Store Secret Key Locally
A->>M: Done
Payment and OTP Generation: When a customer makes a payment by scanning the QR code displayed at the merchant’s store, and the payment is successful, an OTP is generated on the GoPay server and sent to the Gojek app.
QR Code Rendering: The Gojek app receives the OTP and renders it into a QR code, which also includes the payment amount.
OTP Verification: The merchant scans this QR code using the GoAuth app, enters the expected payment amount, and verifies the OTP. Since the secret key is stored locally on the device, this verification doesn’t need an internet connection.
Payment Confirmation: If the OTP verification is successful, the payment is confirmed. If not, it could mean that the customer has not yet completed the paymen
sequenceDiagram
participant U as User
participant G as Gojek App
participant S as GoPay Server
participant M as Merchant
participant A as GoAuth App
U->>G: Make Payment by Scanning Merchant Static QR
G->>S: Communicate Payment Amount and Merchant ID
S->>G: Respond with Successful Payment and OTP
G->>G: Render QR with Payment Amount and OTP
U->>M: Show QR to Merchant
M->>A: Scan QR with GoAuth App
A->>M: Prompt to Input Expected Amount
M->>A: Provide Expected Amount
A->>A: Validate Pair of Amount and OTP
Our idea was well-received and we secured third place in the hackathon. It was a fascinating experience, and it highlighted the potential of OTPs for this use case. The hackathon provided us with a platform to explore new possibilities and find innovative solutions to real-world problems.