Voice Call Authentication (MFA)
The Voice Call Authentication factor allows users to authenticate themselves using a one-time passcode (OTP) that is delivered in a voice call to the user's phone. Users can provide a phone number for a landline or mobile phone. Extension numbers for landlines are also supported.
There are important considerations that you must be aware of when using telephony as part of your multifactor authentication strategy, including regulatory requirements, toll fraud, and others. See Telephony for more information.
You can also select languages for voice-based authentication. See Configure and use telephony for more information.
Using phone OTP isn't a guaranteed way to verify a user's identity. See Potential risks of verifying identity through SMS and voice call.
Okta recommends that you require users to authenticate using a more robust authenticator. For example, an authenticator that not only verifies the user presence but is also device-bound, hardware-protected, or phishing-resistant. Such authenticators include authenticator apps, email magic links, or FIDO2 (WebAuthn). See MFA factor configuration.
Toll-free, premium, and invalid phone numbers can't be used for multifactor authentication. If you attempt to use a toll-free, premium, or unrecognized phone number format, the phone number is rejected as an invalid phone number.
Okta recommends that admins enable other factors in addition to the Voice Call Authentication factor. This gives users additional verification options. If an end user changed their phone number and didn't update it in Okta, voice calls and SMS messages are sent to the old number. Users need alternate verification methods to enable them to sign in to Okta so they can update their phone number.
Before you begin
- Connect to an external telephony service provider using either Okta Workflows or Okta API. For guidance about selecting a telephony service provider, see Choose telephony provider.
- Review Telephony documentation to understand regulatory requirements, toll fraud, and technical considerations.
Activate the Voice Call Authentication factor
-
In the Admin Console, go to .
- On the Factor Types tab, select Voice Call Authentication.
- Click Inactive and select Activate.
- Click the Factor Enrollment tab.
- Select a policy from the list and click Edit. Or, to create a factor enrollment policy, click Add Multifactor Policy, and follow the instructions in Configure an MFA enrollment policy.
- Select the dropdown list beside Voice Call Authentication and select an option:
- Optional - Users may select the Voice Call Authentication factor from the list and use it to authenticate.
- Required - Users must provide an OTP they receive in a voice call when they authenticate.
- Disabled - Users aren't asked to authenticate with an OTP they receive in a voice call.
- Click Update Policy.
End-user experience
When this factor is activated, users signing in to Okta for the first time see that extra verification is required.
Set up the Voice Call Authentication factor for the first time
- While signing in, the Sign-In Widget displays the Set up multifactor authentication page.
- Click Configure factor.
- Select the country that your phone number is from in the Country dropdown list.
- Enter your phone number in the Phone number field. Don't include the country code, leave out any dashes, and leave out the leading zero if your country's phone system uses them.
- To receive voice calls at an extension, such as at an office, enter the extension number in the Extension field.
- Click Call. You receive a voice call and the code is provided in the spoken message. Click Redial if the voice call doesn't come automatically.
- Enter the code in the Enter Code field.
- Click Verify.
Sign in with the Voice Call Authentication factor
- Go to your org's sign-on page. Provide your username and any other credentials requested by the Sign-In Widget, such as a password.
- Click the down arrow and select Voice Call Authentication from the Select an authentication factor list.
- Okta calls the user, provides the OTP in a spoken message, and the Sign-In Widget displays the Enter Code field. If you don't receive the voice call automatically, click Redial.
- Enter the code provided in the voice call in the Enter Code field.
- Click Verify.
If you changed your phone number and haven't updated it in Okta yet, voice calls and SMS messages go to your old phone number and you can't complete verification. If this happens, click Sign in with something else on the Sign-In Widget, and verify with a different factor. Next, complete the Change the phone number for the Voice Call Authentication factor procedure, and replace your old phone number with your new one.
Change the phone number for the Voice Call Authentication factor
Users can change the phone number to which OTP codes are sent by removing the Voice Call Authentication factor and then setting it up again.
- In the Okta Dashboard, click your username in the upper-right corner.
- Select Settings.
- In the Extra Verification section, click Remove beside Voice Call Authentication, and click Yes to confirm.
- Click Set up beside Voice Call Authentication.
- Continue with the steps in Set up the Voice Call Authentication factor for the first time.