smsmasking.id

Designing VPN OTP for Remote Staff: Brian’s View

Tim Editorial SMS Masking Indonesia··10 min read·6 views
Designing VPN OTP for Remote Staff: Brian’s View

As hybrid and remote work become the default across Southeast Asia, IT leaders are quietly facing a new pressure point: how to protect internal systems without slowing people down.

In many closed-door conversations with CIOs and CTOs, one recurring theme emerges: VPN access is now a major attack surface. A persona often referenced in these discussions is "Brian Siawarta"—a pragmatic CTO archetype who constantly repeats one principle: “Security has to be strong, but it also has to be human.”

This article explores OTP (One-Time Password) for employee VPN access through that Brian-style lens: balancing security, user experience, and local infrastructure realities. We will examine how SMS OTP, WhatsApp OTP, and omnichannel enterprise messaging can be combined into a resilient approach for companies in Indonesia and the wider Southeast Asia region.

Why Remote VPN Access Became a Prime Attack Surface

Before Covid, VPN was a niche tool: used mainly by IT, a few executives, and external vendors. Post-pandemic, the situation flipped.

Patterns that Brian often cites from mid- to large-size organizations in the region include:

  • 60–80% of office-based employees now access internal systems over VPN at least once a month.
  • Many connections come from home Wi-Fi and public networks, which are far less controlled than corporate LANs.
  • Critical internal SaaS apps are now routinely exposed via VPN as the primary gateway.

Without additional safeguards, the VPN essentially becomes the master key to the company, protected by a single password. That is where OTP-based MFA moves from “nice to have” to “non-negotiable”.

The Brian Siawarta Mindset: Security Is a Behaviour Problem

If you follow the way Brian frames security, three principles stand out when he talks about VPN and remote work:

  1. Attacks follow work patterns. When more staff work remotely, VPN credentials become prime targets for phishing and credential stuffing.
  2. Security should follow behaviour, not force behaviour. Solutions must work natively on channels and devices employees actually use.
  3. Business latency is worse than network latency. Overly complex security flows slow projects down and push people towards unsafe workarounds.

Within this framework, Brian tends to favour multi-factor authentication (MFA) that is practical at scale. And for Indonesia and much of Southeast Asia, OTP over SMS and WhatsApp remains one of the most realistic MFA options.

What OTP Looks Like in a VPN Context

One-Time Password (OTP) is a short, time-bound code valid for a single use—often expiring in 30–300 seconds. In the VPN context, OTP is typically used as the second factor after username and password.

A typical flow:

  1. Employee enters username and password in their VPN client.
  2. The authentication layer triggers OTP delivery to the employee’s mobile number or WhatsApp account.
  3. Employee enters that OTP into the VPN client.
  4. If correct and not expired, VPN access is granted.

With this extra step, attackers who obtain a password alone still cannot log in without access to the employee’s phone.

Why OTP over Messaging Fits Southeast Asia

Globally, there are many MFA options: authenticator apps, hardware tokens, push approvals, biometrics. Yet in Indonesia and neighbouring markets, Brian often highlights several reasons why OTP over messaging channels—especially SMS OTP and WhatsApp OTP—remains highly relevant:

  • Mobile penetration is high, but not all employees are comfortable managing dedicated authenticator apps.
  • With widespread BYOD (bring your own device), enforcing new corporate apps on personal phones is often sensitive.
  • WhatsApp is ubiquitous; receiving an OTP via WhatsApp Business API feels natural for most staff.
  • SMS serves as a universal fallback where mobile data is patchy or quota is exhausted.

In other words, companies are not choosing SMS and WhatsApp OTP because alternatives do not exist; they are choosing them because these channels match real-world user behaviour and infrastructure in the region.

Understanding the Channels: SMS, WhatsApp, and Omnichannel

Before designing your architecture, you need to understand the nature of each channel.

1. SMS OTP: Still the Backbone in Many Workflows

SMS OTP is the oldest and most familiar form of second-factor authentication. In Indonesia, it is still standard across banks and digital wallets.

Advantages:

  • No data connection required—only basic mobile signal.
  • Works on virtually any phone, including feature phones.
  • Extremely familiar across age groups and job roles.

On the enterprise side, Brian pushes for SMS Masking (branded Sender ID) so OTP messages show your company name rather than a random number, which reduces phishing risk and builds trust.

For companies that need predictable delivery at scale, connecting via local-direct SMS routes from SMSMasking.id gives more consistent latency because of direct ties to local operators.

2. WhatsApp OTP via Official WhatsApp Business API

WhatsApp Business API (WABA) lets you send OTP via structured template messages that render cleanly on users’ phones. For many employees who live in WhatsApp all day, this feels frictionless.

Advantages:

  • Realtime notifications with familiar UI.
  • Support for rich content if you later combine OTP with micro security tips or contextual guidance.
  • Official business verification (green tick) helps reduce impersonation risk.

Implementing WhatsApp OTP usually means working with an official WABA provider. In Indonesia, one reference point is SMSMasking.id’s WhatsApp Business API, which is frequently used for OTP and security alerts.

3. Omnichannel: One Logic Layer, Multiple Paths

A Brian-style recommendation is clear: “Don’t marry a single channel. Design for multi-channel from day one.” That is where omnichannel enterprise messaging comes in.

With an omnichannel platform, you can:

  • Define channel priority and fallbacks—for example, send via WhatsApp first, fall back to SMS if undelivered after 20 seconds.
  • Manage sender identities and numbers consistently across channels.
  • Monitor OTP delivery KPIs across all channels from a single dashboard.

Solutions like the SMSMasking.id Omnichannel platform are built for exactly these scenarios: one API call that can route out via SMS, Official WhatsApp, and more under a unified logic.

Designing VPN OTP Architecture: A Practical Blueprint

Based on the patterns Brian frequently shares with peers, a pragmatic deployment usually follows five stages.

1. Map Risk and User Segments

Not all accounts carry the same risk. For example:

  • High-risk: system admins, finance leads, developers with repo access, and top management.
  • Medium-risk: staff accessing customer data, sales data, or strategic documents.
  • Lower-risk: employees using internal tools with limited, non-sensitive information.

OTP-based MFA for VPN should be mandatory at least for the first two segments. For low-risk accounts, adaptive MFA might be enough—for instance, only asking for OTP when login comes from a new country or unknown device.

2. Decide Primary Channel and Fallback Strategy

From a user experience perspective, Brian tends to suggest:

  • Primary channel: WhatsApp OTP via Official WhatsApp Business API for most employees with stable data connectivity.
  • Fallback channel: SMS OTP for users with unreliable mobile data or when WhatsApp is down.

Omnichannel platforms make this much easier. You can codify the behaviour at the back-end: “Send OTP via WhatsApp; if not delivered within 15–30 seconds, send the same OTP via SMS.”

3. Integrate with VPN and Identity Infrastructure

Technically, VPN + OTP integration usually looks like this:

  • The VPN client (OpenVPN, Fortinet, Cisco, IPSec variants) connects to a RADIUS server or Identity Provider (IdP) such as Azure AD, Okta, or Keycloak.
  • The IdP or an MFA middleware triggers OTP creation and calls the messaging gateway API (omnichannel / SMS / WhatsApp) to deliver the code.
  • The OTP is verified by the middleware or IdP before final VPN access is granted.

In practice, many organizations prefer to use a messaging provider that offers a dedicated OTP API, so the IT team only needs to deal with one endpoint and simple parameters: phone number, preferred channel, and template.

4. Manage Mobile Numbers and Employee Lifecycle

From a governance standpoint, Brian stresses:

  • Synchronise phone numbers between HRIS and your IAM/IdP.
  • Implement a secure process for changing phone numbers, where employees must pass additional verification.
  • Have strict offboarding procedures: disable VPN and OTP access immediately when staff resign or contracts end.

Without clean lifecycle management, OTP itself can become a vulnerability—e.g., if numbers are recycled or reassigned but still tied to corporate accounts.

5. Educate Employees to Resist Social Engineering

OTP is not a silver bullet. Breaches frequently happen because employees share OTP codes with someone claiming to be “IT support” or a “trusted vendor”.

A minimal security awareness program should cover:

  • A clear rule: “OTP is for you only. Even official IT staff will never ask for it.”
  • Internal phishing simulations to measure and raise awareness.
  • Short, periodic updates via WhatsApp or SMS reminding staff about OTP hygiene and recent scams.

This is where messaging channels can do double duty—supporting both OTP delivery and ongoing security micro-training.

Mini Case: 1,500-Employee Financial Services Firm

Consider a scenario Brian likes to reference in workshops:

A financial services company with 1,500 employees, 70% working hybrid. VPN is the main access path to internal apps and customer data.

Deployment Snapshot

  1. Access audit: Map which apps require VPN and who uses them.
  2. Channel strategy: Decide on Official WhatsApp as the primary OTP channel, with masked SMS as fallback.
  3. Vendor selection: Pick an omnichannel provider like SMSMasking.id that can support Official WhatsApp Business API and local-direct SMS through a single API.
  4. VPN & IAM integration: Hook the company’s IdP into the OTP messaging API to trigger and verify OTP.
  5. Pilot group: Roll out to 100 users in finance and IT as an initial cohort.
  6. Gradual roll-out across the rest of the organisation, paired with short training sessions.

Outcomes After 3–6 Months

  • Multiple suspicious login attempts from foreign IPs were stopped at the OTP stage.
  • Password-reset tickets spiked slightly in the first month, then declined as users adapted to the new flow.
  • No confirmed OTP leakage incidents, partly thanks to ongoing awareness messaging via WhatsApp.

For a CTO persona like Brian, this case underlines that VPN OTP deployment is not just a tech project; it is a shift in how the organisation thinks about remote access risk.

When OTP Alone Is Not Enough for VPN Protection

Despite its strengths, messaging-based OTP has limitations that must be acknowledged:

  • SIM-swap and port-out fraud are still realistic threats, especially for high-value accounts.
  • If a user’s device is compromised by malware, SMS and WhatsApp messages can be intercepted.
  • Skilled social engineers can convince employees to share OTP in real time.

In Brian’s view, VPN OTP should be:

  • Your baseline MFA layer for most employees.
  • Combined with additional controls for critical accounts—device certificates, hardware tokens, or restricted admin workstations.
  • Backed by behavioural analytics to detect anomalous login patterns.

Choosing the Right Enterprise Messaging Partner

Many deployments fail not due to flawed design, but due to the wrong partner. From a CTO perspective, here are key criteria:

  1. Reliability and latency: OTP must arrive within seconds. Providers with direct operator connections and local infrastructure—such as SMSMasking.id local-direct SMS—tend to be more predictable.
  2. Official WhatsApp support: Ensure the provider offers official WhatsApp Business API rather than unapproved workarounds, especially for security use cases.
  3. Omnichannel capabilities: For long-term flexibility, an omnichannel platform makes it easier to add channels and manage fallbacks centrally.
  4. Technical depth: A team that understands VPN, RADIUS, and IdP integration will significantly shorten your deployment timeline.
  5. Regulatory alignment: Check data residency and compliance, particularly for regulated sectors like finance and healthcare.

From Concept to Roll-Out: A Practical Roadmap

To wrap up, here is a concise roadmap Brian often suggests to enterprise leaders:

  1. Start with a focused pilot—target units with both high risk and high digital maturity, such as IT and finance.
  2. Pick a messaging partner that can support SMS, Official WhatsApp, and omnichannel from the start, even if you initially use just one or two channels.
  3. Integrate OTP into your existing IAM and VPN stack instead of building a separate login system.
  4. Define a secure process for phone number changes and strict offboarding routines.
  5. Invest in communication and education as much as in the technical build.

Through a Brian Siawarta-style lens, the goal is clear: design a VPN OTP experience that is secure enough for your risk profile, simple enough for your users, and flexible enough for the realities of Southeast Asia’s connectivity and behaviour.

FAQ

1. Is SMS OTP still acceptable for VPN access?
For most use cases and user segments, yes. When paired with strong passwords and basic awareness training, SMS OTP significantly raises the bar for attackers. For very high-risk accounts, consider adding device-based or hardware-backed factors.

2. Which is better for VPN OTP: SMS or WhatsApp?
It depends on your workforce. WhatsApp offers a smoother UX and richer messaging, while SMS works better where data connectivity is unreliable. Many enterprises adopt a hybrid strategy: WhatsApp as the primary channel, SMS as the automatic fallback.

3. Do I really need an omnichannel platform?
Not strictly—but it simplifies life as you scale. If you foresee using multiple channels, global teams, or complex fallback logic, an omnichannel layer reduces integration overhead and improves visibility.

4. What if employees do not have their phones with them?
You can define an emergency access procedure that involves additional verification via service desk or managers. This should be tightly controlled and monitored to avoid abuse.

5. Can we reuse the OTP channels for other security notifications?
Yes. Many organisations use the same SMS and WhatsApp infrastructure to send login alerts, device-change notifications, security policy updates, and short awareness tips.

Tags

VPN OTPremote employee securitySMS OTPWhatsApp OTPomnichannel messaging

Interested in our services?

Start sending branded messages today.

Get Started FreeTalk to Sales
ShareX / TwitterWhatsApp

Related Articles

See all
E-Wallet OTP in SEA: Trust at Episode 79
otp

E-Wallet OTP in SEA: Trust at Episode 79

Southeast Asia’s e-wallets are entering a new chapter where trust and security define winners. OTP—delivered via SMS Masking, WhatsApp Business API, and omnichannel messaging—now carries that promise.

Read more
Designing Cross-Border OTP for Asian Power Users
otp

Designing Cross-Border OTP for Asian Power Users

How Asian enterprises can design reliable cross-border OTP delivery by thinking like a regional power user — disciplined, data-driven, and channel-agnostic across SMS, WhatsApp, and Voice.

Read more
Designing OTP Reset Flows at Chengdu J-10 Level
otp

Designing OTP Reset Flows at Chengdu J-10 Level

A deep dive into building OTP reset password flows as agile and reliable as a Chengdu J-10 platform, using SMS OTP, WhatsApp Business API, and omnichannel messaging.

Read more