Firebase Auth is convenient but adds vendor lock-in and costs at scale. We implement phone-based OTP authentication from scratch in multiple projects — Errandoo and Prevadu Health both use custom OTP flows.
The Authentication Flow
User submits their phone number. The server generates a cryptographically random 6-digit OTP, hashes it with Argon2, and stores the hash in Redis with a 5-minute TTL. The OTP is sent via Fast2SMS as the primary provider, with 2Factor.in voice call as fallback. On verification, the submitted OTP is hashed and compared against the stored hash.
Rate Limiting Strategy
Four layers of rate limiting prevent abuse: one OTP per phone number per minute, maximum 5 OTPs per phone number per day, 3 verification attempts per OTP, and per-IP hourly limits. All backed by Redis counters with automatic expiry.
Token Architecture
On successful verification, we issue a short-lived JWT access token (15 minutes) and a long-lived refresh token (7 days). Refresh tokens are single-use — each refresh rotates the token. If a refresh token is reused, it indicates theft, and all tokens for that user are invalidated.
Cost at Scale
Fast2SMS costs approximately 0.15 INR per SMS. At 1,000 daily active users, the monthly cost is around 4,500 INR. Firebase Auth's free tier covers 10,000 verifications per month, then charges $0.06 each — self-hosted becomes significantly cheaper at scale.