SMS Authentication (MFA)
The SMS Authentication factor allows users to authenticate themselves using a one-time passcode (OTP) that is delivered to their phone in an SMS message.
There are important considerations that you must be aware of when using telephony as part of your multifactor authentication strategy, including regulatory requirements, toll fraud, and others. See Telephony for more information.
There are also important technical considerations for sending SMS messages. See Configure and use telephony for more information.
You can also customize SMS message templates, view SMS events in the System Log and view SMS usage reports. See Configure and use telephony for more information.
Using phone OTP isn't a guaranteed way to verify a user's identity. See Potential risks of verifying identity through SMS and voice call.
Okta recommends that you require users to authenticate using a more robust authenticator. For example, an authenticator that not only verifies the user presence but is also device-bound, hardware-protected, or phishing-resistant. Such authenticators include authenticator apps, email magic links, or FIDO2 (WebAuthn). See MFA factor configuration.
Toll-free, premium, and invalid phone numbers can't be used for multifactor authentication. If you attempt to use a toll-free, premium, or unrecognized phone number format, the phone number is rejected as an invalid phone number.
Okta recommends that admins enable other factors in addition to the SMS Authentication factor. This gives users additional verification options. If an end user changed their phone number and didn't update it in Okta, voice calls and SMS messages are sent to the old number. Users need alternate verification methods to enable them to sign in to Okta so they can update their phone number.
Before you begin
- Connect to an external telephony service provider using either Okta Workflows or Okta API. For guidance about selecting a telephony service provider, see Choose telephony provider.
- Review Telephony documentation to understand regulatory requirements, toll fraud, and technical considerations.
Activate the SMS Authentication factor
-
In the Admin Console, go to .
- On the Factor Types tab, select SMS Authentication.
- Click Inactive and select Activate.
- Click the Factor Enrollment tab.
- Select a policy from the list and click Edit. Or, to create a factor enrollment policy, click Add Multifactor Policy, and follow the instructions in Configure an MFA enrollment policy.
- Select the dropdown list beside SMS Authentication and select an option:
- Optional - Users may select the SMS Authentication factor from the list and use it to authenticate.
- Required - Users must provide an OTP they receive in an SMS message when they authenticate.
- Disabled - Users aren't asked to authenticate with an OTP they receive in an SMS message.
- Click Update Policy.
End-user experience
When this factor is activated, users signing in to Okta for the first time see that extra verification is required.
Set up the SMS Authentication factor for the first time
- While signing in, the Sign-In Widget displays the Set up multifactor authentication page.
- Click Configure factor.
- Select the country that your phone number is from in the Country dropdown list.
- Type your phone number in the Phone number field. Don't include the country code, leave out any dashes, and leave out the leading zero if your country's phone system uses them.
- Click Send code. You receive a code in an SMS message.
- Type the code in the Enter Code field.
- Click Verify.
Sign in with the SMS Authentication factor
-
Go to your org's sign-on page. Provide your username and any other credentials requested by the Sign-In Widget, such as a password.
-
Click the down arrow and select SMS Authentication from the Select an authentication factor list.
-
Okta sends an SMS message, and the Sign-In Widget displays the Enter Code field. If you don't receive the code automatically, click Send Code.
-
Type the code provided in the SMS message in the Enter Code field.
-
Click Verify.
If you changed your phone number and haven't updated it in Okta yet, voice calls and SMS messages go to your old phone number and you can't complete verification. If this happens, click Sign in with something else on the Sign-In Widget, and verify with a different factor. Next, complete the Change the phone number for the SMS Authentication factor procedure, and replace your old phone number with your new one.
Change the phone number for the SMS Authentication factor
Users can change the phone number to which OTP codes are sent by removing the SMS Authentication factor and then setting it up again.
- In the Okta Dashboard, click your username in the upper-right corner.
- Select Settings.
- In the Extra Verification section, click Remove beside SMS Authentication, and click Yes to confirm.
- Click Set up beside SMS Authentication.
- Continue with the steps in Set up the SMS Authentication factor for the first time.