Barock.dev

Midtrans Hackaton 2018 - Verifying payment without internet

otp, hackaton

midatrans hackaton pic 1 last month, I had the opportunity to participate in an internal hackathon at Midtrans, shortly after its acquisition by Gojek. my team, consisting of three members (shout out to my amazing colleagues Andri & Azhar), built a mobile application named ‘GoAuth’ for GoPay merchants. This app enabled them to verify whether they received payment from customers through scanning a static GoPay QR code, without needing an internet connection.

Our concept was inspired by Google’s One-Time Password (OTP) authentication, where an OTP is generated based on a specific salt string to produce a six-digit number code. This code is valid for a certain timeframe and its generation doesn’t require an internet connection. The generated OTP is then validated on the server using the same salt string. This was the inspiration we used to address the problem faced by small street merchant, who often lack a reliable internet connection or have to wait for an SMS to confirm a payment, as well it can be alternative approach that more cost efficient for gopay compare to sending SMS.

User DeviceThird Party ProviderUserUser DeviceThird Party ProviderUserRegister Device & Retrieve Secret KeyEnter Secret Key in Google AuthenticatorGenerate OTP based on Secret Key and Current TimeSubmit OTP for AuthenticationConfirm Authentication

Here’s how we adapted this approach for GoAuth: #

Merchant’s Secret Key: Every merchant has a secret key (salt) stored on the GoPay server (assume merchant has done the onboarding). This key is used to generate the OTP.

Device Authorization: Before using GoAuth, merchants need to authorize their device to retrieve the secret key for generating the OTP. This is a one-time operation that does require an internet connection.

GoPay ServerGoAuth AppMerchantGoPay ServerGoAuth AppMerchantOpen GoAuth App to ConfigurePrompt for Merchant CredentialsProvide Merchant CredentialsMerchant AuthorizedInitiate ConfigurationRetrieve Merchant Secret KeyProvide Merchant Secret KeyStore Secret Key LocallyDone

Payment and OTP Generation: When a customer makes a payment by scanning the QR code displayed at the merchant’s store, and the payment is successful, an OTP is generated on the GoPay server and sent to the Gojek app.

QR Code Rendering: The Gojek app receives the OTP and renders it into a QR code, which also includes the payment amount.

OTP Verification: The merchant scans this QR code using the GoAuth app, enters the expected payment amount, and verifies the OTP. Since the secret key is stored locally on the device, this verification doesn’t need an internet connection.

Payment Confirmation: If the OTP verification is successful, the payment is confirmed. If not, it could mean that the customer has not yet completed the paymen

GoAuth AppMerchantGoPay ServerGojek AppUserGoAuth AppMerchantGoPay ServerGojek AppUserMake Payment by Scanning Merchant Static QRCommunicate Payment Amount and Merchant IDRespond with Successful Payment and OTPRender QR with Payment Amount and OTPShow QR to MerchantScan QR with GoAuth AppPrompt to Input Expected AmountProvide Expected AmountValidate Pair of Amount and OTP

Our idea was well-received and we secured third place in the hackathon. It was a fascinating experience, and it highlighted the potential of OTPs for this use case. The hackathon provided us with a platform to explore new possibilities and find innovative solutions to real-world problems.

midatrans hackaton pic 1