SMS authentication (MFA)

End users sign in to their org and authenticate by entering a security token that is sent to their mobile device. By design, enabling SMS MFA factor authentication requires that end users receive an SMS text message on their mobile devices. When this factor is enabled by an admin, end users will receive an SMS text message with an authentication code when they sign in to Okta, even if they have sent an SMS opt out request on their device. If SMS messaging is of concern to your users, you may enable another factor of your choice as an alternative.



The sender ID or phone number that appears on end users' devices may change from one sign-in to another. This allows Okta to maintain service reliability and delivery.

If your org uses a single phone number to authenticate multiple end users:

  • All users will enroll in this factor with the same phone number.
  • Due to a high level of user activity, the number may be blocked. If this occurs, contact Okta Support immediately to confirm that the number is trusted by your org.

For more information on using this factor, including tips on complying with regulations or mitigating toll fraud, see Telephony.

Configure SMS authentication

The first time users sign into their orgs after you configure this factor, they see the Extra verification is required for your account page and must perform the following steps:

  1. Click Setup next to Text Message Code.
  2. Enter the mobile phone number where you want your security tokens sent.
  3. Enter the security token that was sent to your phone.

To reset and configure settings for a phone or a new phone number, users can select the Account tab on their homepage and then click the Setup button in the Extra Verification section.

If the user already has a mobile telephone number verified in Okta, the following message appears.


If a user deletes the SMS factor and then reconfigures it without specifying a phone number, the previously verified phone number is still used.

Related topics