Configure the Phone authenticator

The Phone authenticator allows users to authenticate themselves using a one-time passcode (OTP) that is delivered to the their phone either as an SMS message or as a voice call. It also allows users to enroll their devices and initiate account recovery.

There are important considerations that you must take into account when using telephony as part of your multifactor authentication strategy, including regulatory requirements, toll fraud, and others. See Telephony for more information.

There are also important technical considerations for sending SMS messages. See Configure and use telephony for more information.

You can also customize SMS message templates, view SMS and voice call events in the System Log, view SMS usage reports, and select languages for voice-based authentication. See Configure and use telephony for more information.

Toll-free, premium, and invalid phone numbers cannot be used for multifactor authentication or device enrollment. If you attempt to use a toll-free, premium, or unrecognized phone number format, the phone number will be rejected as an invalid phone number.

Add Phone as an authenticator

  1. In the Admin Console, go to Security > Authenticators.
  2. On the Setup tab, click Add Authenticator.
  3. Click Add on the Phone tile.
  4. In the Verification options section, select the methods that users can verify with. Select Voice call,SMS, or both options.
  5. In the Used for section, select the actions you want to use the Phone authenticator for:
    • Authentication and recovery - allow users to use this authenticator to authenticate themselves and recover their account
    • Recovery - allow users to use this authenticator only for recovering their account. If you choose this option, Okta doesn't request authentication during the evaluation of your Global Session Policy.
  6. Click Add.

End-user experience

When this authenticator is configured, users signing in to Okta for the first time see that extra verification is required. When they select the Phone authenticator, they select a phone number from the list of security methods and then choose SMS or Voice call, depending on which options are available to them.

Set up the Phone authenticator for the first time

  1. While signing in, the Sign-In Widget displays the Set up security methods screen.

  2. Click Set up under the Phone option.

  3. Select SMS or Voice call. If you select SMS, you may only provide a mobile phone number.

  4. Select the country your phone number is from in the Country drop-down list.

  5. Type your phone number in the Phone number field. Do not include the country code, leave out any dashes, and leave out the leading zero if your country's phone system uses them.

  6. If you selected Voice call and your phone number includes an extension number, type it in the Extension field.

  7. Click Receive a code via SMS or Receive a code via voice call. You will receive a code either by SMS or voice call, depending on which option you selected.

  8. Type the code in the Enter Code field.

  9. Click Verify.

Sign in using the Phone authenticator

  1. Go to your org's sign-on page. Provide your username and any other credentials requested by the Sign-In Widget, such as a password.

  2. On the screen that lists the available security methods, click Select beside the Phone option.

  3. To receive a code in an SMS message, click Receive a code via SMS. To receive a code in a voice call, click Receive a voice call instead.

  4. Okta sends an SMS message, or calls the user's phone, and the Sign-In Widget displays the Enter Code field.

  5. Type the code provided in the SMS message or voice call in the Enter Code field.

  6. Click Verify.

Add additional phone numbers to the Phone authenticator

After signing in, users can add additional phone numbers to their profile:

  1. In the Okta Dashboard, click your username in the upper-right corner.

  2. Select My settings.

  3. In the Security Methods section, click Set up another beside Phone.

  4. Click Set up.

  5. Select SMS or Voice call. If you select SMS, you may only provide a mobile phone number

  6. Select the country your phone number is from in the Country drop-down list.

  7. Type your phone number in the Phone number field. Do not include the country code, leave out any dashes, and leave out the leading zero if your country's phone system uses them.

  8. If you selected Voice call and your phone number includes an extension number, type it in the Extension field.

  9. Click Receive a code via SMS or Receive a code via voice call. You will receive a code either by SMS or voice call, depending on which option you selected.

  10. Type the code in the Enter Code field.

  11. Click Verify.

On subsequent sign-on attempts, when the user chooses to use the Phone authenticator, they can select the phone number they want to use for that attempt.

Related topics

Configure the Email authenticator

Configure the Password authenticator

Configure a WebAuthn (FIDO2) authenticator

Configure the Security Question authenticator

Telephony

Configure and use telephony