Configure the Phone authenticator
The Phone authenticator allows users to authenticate themselves using a one-time passcode (OTP) that is delivered to their phone either as an SMS message or as a voice call. It also allows users to enroll their devices and initiate account recovery.
When using telephony as part of your multifactor authentication (MFA) strategy, you must consider the impact of regulatory requirements, toll fraud, and other factors. See Telephony for more information.
There are also important technical considerations for sending SMS messages. See Configure and use telephony for more information.
You can customize SMS message templates, view SMS and voice call events in the System Log, view SMS usage reports, and select languages for voice-based authentication. See Configure and use telephony for more information.
Toll-free, premium, and invalid phone numbers can't be used for multifactor authentication or device enrollment. If you use a toll-free, premium, or unrecognized phone number format, the phone number is rejected as an invalid phone number.
The token lifetime of the one-time password sent to the Phone authenticator (voice or SMS methods) is five minutes.
Okta recommends that admins enable other authenticators in addition to the Phone authenticator. This gives users additional verification options. For example, if a user changes their phone number and doesn't update it in Okta, voice calls and SMS messages are sent to the old number. Therefore, users need alternate verification methods to enable them to sign in to Okta so they can update their phone number.
Add Phone as an authenticator
- In the Admin Console, go to Security > Authenticators.
- On the Setup tab, click Add Authenticator.
- Click Add on the Phone tile.
- In the Verification options section, select the methods that users can verify with. Select Voice call,SMS, or both options.
- In the Used for section, select the actions you want to use the Phone authenticator for:
- Authentication and recovery - allow users to use this authenticator to authenticate themselves and recover their account
- Recovery - allow users to use this authenticator only for recovering their account. If you choose this option, Okta doesn't request authentication during the evaluation of your Global Session Policy.
-
Click Add.
End-user experience
When users sign in to Okta for the first time, they see that extra verification is required. When they select the Phone authenticator, they enter a phone number and then choose SMS or Voice call, depending on which options are available to them.
Set up the Phone authenticator for the first time
-
While signing in, the Sign-In Widget displays the Set up security methods page.
-
Click Set up under the Phone option.
-
Select SMS or Voice call. If you select SMS, you may only provide a mobile phone number.
-
Select your phone number's country from the Country dropdown.
-
Type your phone number in the Phone number field. Don't include the country code, leave out any dashes, and leave out the leading zero if your country's phone system uses them.
-
If you selected Voice call and your phone number includes an extension number, type it in the Extension field.
-
Click Receive a code via SMS or Receive a code via voice call. You receive a code either by SMS or voice call, depending on which option you select.
-
Type the code in the Enter Code field.
-
Click Verify.
Sign in using the Phone authenticator
-
Go to your org's sign-on page. Provide your username and any other credentials requested by the Sign-In Widget, such as a password.
-
On the screen that lists the available security methods, click Select beside the Phone option.
-
To receive a code in an SMS message, click Receive a code via SMS. To receive a code in a voice call, click Receive a voice call instead.
-
Okta sends an SMS message, or calls the user's phone, and the Sign-In Widget displays the Enter Code field.
-
Type the code provided in the SMS message or voice call in the Enter Code field.
-
Click Verify.
Okta uses rate limiting to protect against brute-force attacks on SMS authenticators. If users see the message, "Too many attempts. Try again later" after they've entered incorrect credentials, advise them to use a different authenticator to gain access to their account. Be sure to set up multiple authenticators for your users to ensure that alternatives are available in the event that any one authenticator isn't available for use.
If you change your phone number and don't update it in Okta, your voice calls and SMS messages go to your old phone number and you won't be able to complete verification. If this happens, click Sign in with something else on the Sign-In Widget, and verify with a different authenticator. Next, complete the Add additional phone numbers to the Phone authenticator procedure, and replace your old phone number with your new one.
Add additional phone numbers to the Phone authenticator
After signing in, users can add additional phone numbers to their profile.
-
In the Okta Dashboard, click your username in the upper-right corner.
-
Select My settings.
-
In the Security Methods section, click Set up another beside Phone.
-
Click Set up.
-
Select SMS or Voice call. If you select SMS, you may only provide a mobile phone number.
-
Select the country that your phone number is from in the Country dropdown list.
-
Type your phone number in the Phone number field. Don't include the country code, leave out any dashes, and leave out the leading zero if your country's phone system uses them.
-
If you selected Voice call and your phone number includes an extension number, type it in the Extension field.
-
Click Receive a code via SMS or Receive a code via voice call. You receive a code either by SMS or voice call, depending on which option you select.
-
Type the code in the Enter Code field.
-
Click Verify.
On subsequent sign-on attempts, when the user chooses to use the Phone authenticator, they can select the phone number they want to use for that attempt.
Related topics
Configure the Email authenticator
Configure the Password authenticator
Configure the FIDO2 (WebAuthn) authenticator