How to generate a verification code/number?

algorithm checksum error-checking data-consistency
47,818

Solution 1

After some research, I think I'll go with the ISO 7064 Mod 97,10 formula. It seems pretty solid as it is used to validate IBAN (International Bank Account Number).

The formula is very simple:

  1. Take a number : 123456
  2. Apply the following formula to obtain the 2 digits checksum : mod(98 - mod(number * 100, 97), 97) => 76
  3. Concat number and checksum to obtain the code => 12345676
  4. To validate a code, verify that mod(code, 97) == 1

Test :

  • mod(12345676, 97) = 1 => GOOD
  • mod(21345676, 97) = 50 => BAD !
  • mod(12345678, 97) = 10 => BAD !

Apparently, this algorithm catches most of the errors.

Another interesting option was the Verhoeff algorithm. It has only one verification digit and is more difficult to implement (compared to the simple formula above).

Solution 2

For 1M combinations you'll need 6 digits. To make sure that there aren't any accidentally valid codes, I suggest 9 digits with a 1/1000 chance that a random code works. I'd also suggest using another digit (10 total) to perform an integrity check. As far as distribution patterns, random will suffice and the check digit will ensure that a single error will not result in a correct code.

Edit: Apparently I didn't fully read your request. Using a credit card number, you could perform a hash on it (MD5 or SHA1 or something similar). You then truncate at an appropriate spot (for example 9 characters) and convert to base 10. Then you add the check digit(s) and this should more or less work for your purposes.

Solution 3

You want to segment your code. Part of it should be a 16-bit CRC of the rest of the code.

If all you want is a verification number then just use a sequence number (assuming you have a single point of generation). That way you know you are not getting duplicates.

Then you prefix the sequence with a CRC-16 of that sequence number AND some private key. You can use anything for the private key, as long as you keep it private. Make it something big, at least a GUID, but it could be the text to War and Peace from project Gutenberg. Just needs to be secret and constant. Having a private key prevents people from being able to forge a key, but using a 16 bit CR makes it easier to break.

To validate you just split the number into its two parts, and then take a CRC-16 of the sequence number and the private key.

If you want to obscure the sequential portion more, then split the CRC in two parts. Put 3 digits at the front and 2 at the back of the sequence (zero pad so the length of the CRC is consistent).

This method allows you to start with smaller keys too. The first 10 keys will be 6 digits.

Solution 4

Does it have to be only numbers? You could create a random number between 1 and 1M (I'd suggest even higher though) and then Base32 encode it. The next thing you need to do is Hash that value (using a secret salt value) and base32 encode the hash. Then append the two strings together, perhaps separated by the dash.

That way, you can verify the incoming code algorithmically. You just take the left side of the code, hash it using your secret salt, and compare that value to the right side of the code.

Share:
47,818
Costo
Author by

Costo

I'm a Web developer using mainly Microsoft technologies (C# / SQL Server)

Updated on May 15, 2020

Comments

  • Costo
    Costo almost 4 years

    I'm working on an application where users have to make a call and type a verification number with the keypad of their phone.

    I would like to be able to detect if the number they type is correct or not. The phone system does not have access to a list of valid numbers, but instead, it will validate the number against an algorithm (like a credit card number).

    Here are some of the requirements :

    • It must be difficult to type a valid random code
    • It must be difficult to have a valid code if I make a typo (transposition of digits, wrong digit)
    • I must have a reasonable number of possible combinations (let's say 1M)
    • The code must be as short as possible, to avoid errors from the user

    Given these requirements, how would you generate such a number?

    EDIT :

    @Haaked: The code has to be numerical because the user types it with its phone.

    @matt b: On the first step, the code is displayed on a Web page, the second step is to call and type in the code. I don't know the user's phone number.

    Followup : I've found several algorithms to check the validity of numbers (See this interesting Google Code project : checkDigits).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What algorithm to use to calculate a check digit?
Checksum for an integer array?
Checksum calculation - two’s complement sum of all bytes
Robust and fast checksum algorithm?
rank items in list of string in dart
How to implement a search bar in flutter E-commerce app with tons of products?
How to calculate the number of time an event occurs in any month if I have the weekly schedule?
Glide equivalent in flutter
Algorithm to solve this Maze game
Sort a dart list based on constructor parameter