How to generate a verification code/number?

Question

I\'m working on an application where users have to make a call and type a verification number with the keypad of their phone.

I would like to be able to detect if th

Answer 1

When you are creating the verification code, do you have access to the caller's phone number?

If so I would use the caller's phone number and run it through some sort of hashing function so that you can guarantee that the verification code you gave to the caller in step 1 is the same one that they are entering in step 2 (to make sure they aren't using a friend's validation code or they simply made a very lucky guess).

About the hashing, I'm not sure if it's possible to take a 10 digit number and come out with a hash result that would be < 10 digits (I guess you'd have to live with a certain amount of collision) but I think this would help ensure the user is who they say they are.

Of course this won't work if the phone number used in step 1 is different than the one they are calling from in step 2.

Answer 2

• I must have a reasonnable number of possible combinations (let's say 1M)
• The code must be as short as possible, to avoid errors from the user

Well, if you want it to have at least one million combinations, then you need at least six digits. Is that short enough?

Answer 3

For 1M combinations you'll need 6 digits. To make sure that there aren't any accidentally valid codes, I suggest 9 digits with a 1/1000 chance that a random code works. I'd also suggest using another digit (10 total) to perform an integrity check. As far as distribution patterns, random will suffice and the check digit will ensure that a single error will not result in a correct code.

Edit: Apparently I didn't fully read your request. Using a credit card number, you could perform a hash on it (MD5 or SHA1 or something similar). You then truncate at an appropriate spot (for example 9 characters) and convert to base 10. Then you add the check digit(s) and this should more or less work for your purposes.