PHP Login with OTP Authentication

by Vincy. Last modified on July 19th, 2022.

Login with an OTP code is a secure method for the user authentication process. In this method, a one-time password is generated dynamically and sent to the user who attempts login.

OTP can be sent to the user’s email or his mobile phone. When the user enters the OTP code then the application will authenticate the user via this code.

In this tutorial, we are going to see an example to authenticate user login via an OTP code using email. In a previous tutorial, we have already seen a PHP code for login with username and password.

In this example, when the registered user enters email to login, an OTP code is sent to the email address. Using this OTP code the user will be validated. Once the user uses this code then it will be invalid, meaning it cannot be used again. Also, this token will be valid for a day, then it will be expired.

Login form with OTP

The following code shows login form to the user to enter his email address. On entering email, it shows an input to enter the OTP code sent to his email address. After submitting OTP, PHP will validate the code and show authentication result to the user.


<form name="frmUser" method="post" action="">
	<div class="tblLogin">
			if(!empty($success == 1)) { 
		<div class="tableheader">Enter OTP</div>
		<p style="color:#31ab00;">Check your email for the OTP</p>
		<div class="tablerow">
			<input type="text" name="otp" placeholder="One Time Password" class="login-input" required>
		<div class="tableheader"><input type="submit" name="submit_otp" value="Submit" class="btnSubmit"></div>
			} else if ($success == 2) {
		<p style="color:#31ab00;">Welcome, You have successfully loggedin!</p>
			else {
		<div class="tableheader">Enter Your Login Email</div>
		<div class="tablerow"><input type="text" name="email" placeholder="Email" class="login-input" required></div>
		<div class="tableheader"><input type="submit" name="submit_email" value="Submit" class="btnSubmit"></div>

PHP Code to Validate OTP Authentication

On submitting the email address, PHP script validates the user by checking the user database whether it is registered email. If so, a 6 digit OTP code is generated dynamically by using the PHP rand() function.

You may choose to substitute this random code generation logic using your preferred mechanism. This code is sent to the user’s email by using PHPmailer.


When the user submits the OTP code to PHP, it validates the code by checking its expiration. The code is valid for one day and it will be expired once it is used. The PHP code is,

$success = "";
$error_message = "";
$conn = mysqli_connect("localhost","root","","blog_samples");
if(!empty($_POST["submit_email"])) {
	$result = mysqli_query($conn,"SELECT * FROM registered_users WHERE email='" . $_POST["email"] . "'");
	$count  = mysqli_num_rows($result);
	if($count>0) {
		// generate OTP
		$otp = rand(100000,999999);
		// Send OTP
		$mail_status = sendOTP($_POST["email"],$otp);
		if($mail_status == 1) {
			$result = mysqli_query($conn,"INSERT INTO otp_expiry(otp,is_expired,create_at) VALUES ('" . $otp . "', 0, '" . date("Y-m-d H:i:s"). "')");
			$current_id = mysqli_insert_id($conn);
			if(!empty($current_id)) {
	} else {
		$error_message = "Email not exists!";
if(!empty($_POST["submit_otp"])) {
	$result = mysqli_query($conn,"SELECT * FROM otp_expiry WHERE otp='" . $_POST["otp"] . "' AND is_expired!=1 AND NOW() <= DATE_ADD(create_at, INTERVAL 24 HOUR)");
	$count  = mysqli_num_rows($result);
	if(!empty($count)) {
		$result = mysqli_query($conn,"UPDATE otp_expiry SET is_expired = 1 WHERE otp = '" . $_POST["otp"] . "'");
		$success = 2;	
	} else {
		$success =1;
		$error_message = "Invalid OTP!";


Written by Vincy, a web developer with 15+ years of experience and a Masters degree in Computer Science. She specializes in building modern, lightweight websites using PHP, JavaScript, React, and related technologies. Phppot helps you in mastering web development through over a decade of publishing quality tutorials.

Leave a Reply

Your email address will not be published. Required fields are marked *

↑ Back to Top

Share this page