Configure the phone authenticator

The phone authenticator lets users receive a one-time passcode in a voice call or SMS message. Users enter this number to verify that they're the intended user who is signing in.

Configure more authenticators in addition to this one. This ensures that your users have alternatives if they can't access their phone, like in the case of loss or change of phone number.

This authenticator is a possession factor and verifies user presence.

Before you begin

• Connect to an external telephony service provider using either Workflows or the Okta API. See Configure Okta Workflows for an external telephony provider or Create a telephony inline hook.

  All customers must use their own telephony provider to use phone or SMS authentication in Okta. See Bring Your Own Telephony Required for SMS and Voice.

  For guidance about selecting a telephony service provider, see Choose telephony provider.

• Review telephony documentation to understand regulatory requirements, toll fraud, and technical considerations. See Telephony.

Add the phone authenticator

1. In the Admin Console, go to SecurityAuthenticators.

2. On the Setup tab, click Add Authenticator.

3. Click Add on the Phone tile.

4. Configure the following options:

   • In the User can verify with field, select Voice call, SMS, or both.
   • The This authenticator can be used for field provides the following selections:
     • Authentication and recovery: Users can authenticate and recover their accounts with this authenticator
     • Recovery in password policy rules: Users can recover their account with this authenticator but they can't authenticate with it

5. Click Add. The authenticator appears in the list on the Setup tab.

Add phone to the authenticator enrollment policy

In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.

Edit or delete the phone authenticator

End-user experience

When users sign in to Okta for the first time, they see that extra verification is required. They select the phone authenticator and enter a phone number. Then they choose SMS or Voice call, depending on the options you've made available to them. After the user verifies the phone number using the OTP, they can use it for authentication and recovery, or only for recovery, depending on your settings. An OTP is valid for five minutes.

If the user selects SMS, they can only provide a mobile phone number.

For Voice call, the user can provide a mobile phone number, a landline number, or a landline number with an extension. Users can't use toll-free, premium, or invalid phone numbers.

To customize the SMS message sent to the users, see Customize an SMS message.

Users can enter an OTP up to five times. After that, the correct OTP is invalidated to stop potential brute-force attacks from occurring. Okta returns HTTP status code 429, indicating "too many requests." A message appears on the user interface and an entry is written to the System Log. Users aren't locked out of their accounts and may request another OTP immediately.

They can use the Verify with something else option to sign in using a different authenticator.

End-user tasks

Give these instructions to your end users to help them configure their phone as a security method.

Set up a phone number during sign-in

1. Go to your org's sign-in page and enter your username.
2. On the Set up security methods page, click Set up for the phone option.
3. Select SMS or Voice call.
4. From the Country dropdown menu, select your phone number's country.
5. Enter your phone number in the Phone number field. Don't include the country code, dashes, or the leading zero if your country's phone system uses it.
   • If you selected SMS, you can only provide a mobile phone number.
   • If you selected Voice call and your phone number includes an extension number, enter it in the Extension field.
6. Click the Receive a code button.
7. Enter the OTP that you received in the Enter Code field and click Verify.

After successful verification, complete any other prompts, and then you're signed in. The phone number appears in your End-User Dashboard under SettingsSecurity Methods.

Add a phone number through the Dashboard

1. In the End-User Dashboard, open the dropdown menu under your name and click Settings.
2. Go to Security MethodsPhone and click Set up another.
3. If prompted, verify your identity.
4. On the Set up security methods page, click Set up phone.
5. Select SMS or Voice call.
6. From the Country dropdown menu, select your phone number's country.
7. Enter your phone number in the Phone number field. Don't include the country code, dashes, and the leading zero if your country's phone system uses it.
   • If you selected SMS, you can only provide a mobile phone number.
   • If you selected Voice call and your phone number includes an extension number, enter it in the Extension field.
8. Click the Receive a code button.
9. Enter the OTP that you received in the Enter Code field and click Verify. After the successful verification, you're redirected to Settings and the phone number appears in Security Methods.
10. Repeat these steps to add another phone number.

Sign in with SMS or voice call

1. Go to your org's sign-in page and enter your username.
2. On the Verification page, if the phone option isn't available, click Verify with something else.
3. On the Security Methods page, select the Phone option.
4. Click Receive a code via SMS or Receive a voice call instead.
5. Enter the OTP that you received in the Enter Code field and click Verify.

After successful verification, complete any other prompts, and then you're signed in.

Related topics

Multifactor authentication