Configure the phone authenticator
The phone authenticator is a possession factor and verifies user presence. It includes both SMS messages and voice calls. Users authenticate with a one-time passcode (OTP) that's sent to their registered phone number as either a text message or through a voice call. The user's ability to access the phone verifies that the person making the sign-in attempt is the intended user.
Set up additional authenticators to ensure that your users have alternatives if they can't use their phone. For example, the user changes their phone number but doesn't update it in Okta, or they lose their phone. The phone authenticator is temporarily disabled if the user exceeds the limit of unsuccessful sign-in attempts.
Using phone OTP isn't a guaranteed way to verify a user's identity. See Potential risks of verifying identity through SMS and voice call.
Okta recommends that you require users to authenticate using a more robust authenticator. For example, an authenticator that not only verifies the user presence but is also device-bound, hardware-protected, or phishing-resistant. Such authenticators include authenticator apps, email magic links, or FIDO2 (WebAuthn). See Multifactor authentication.
Before you begin
- Connect to an external telephony service provider using either Okta Workflows or the Okta API. For guidance about selecting a telephony service provider, see Choose telephony provider.
- Review Telephony documentation to understand regulatory requirements, toll fraud, and technical considerations.
Add the phone authenticator
-
In the Admin Console, go to .
- On the Setup tab, click Add Authenticator.
- Click Add on the Phone tile.
-
Configure the following options:
-
User can verify with: Select Voice call, SMS, or both.
-
This authenticator can be used for:
Authentication and recovery: Users can authenticate and recover their accounts with this authenticator.
Recovery: Users can recover their account with this authenticator but they can't authenticate with it.
-
-
Click Add. The authenticator appears in the list on the Setup tab.
Add phone to the authenticator enrollment policy
In Authenticators, go to the Enrollment tab to add the authenticator to a new or an existing authenticator enrollment policy. See Create an authenticator enrollment policy.
Edit or delete the phone authenticator
Before you edit or delete the authenticator, you may have to update existing policies that use this authenticator.
- In Authenticators, go to the Setup tab.
- Open the Actions dropdown menu beside the authenticator, and then select Edit or Delete.
End-user experience
When users sign in to Okta for the first time, they see that extra verification is required. They select the phone authenticator and enter a phone number. Then they choose SMS or Voice call, depending on the options you've made available to them. After the user verifies the phone number using the OTP, they can use it for authentication and recovery, or only for recovery, depending on your settings. An OTP is valid for five minutes.
If the user selects SMS, they can only provide a mobile phone number. For Voice call, the user can provide a mobile phone number or a phone number with an extension. Users can't use toll-free, premium, or invalid phone numbers. To customize the SMS message sent to the users, see Customize an SMS message.
Okta enforces a rate limit to protect against brute-force attacks on the phone authenticator. The user temporarily can't use the phone authenticator if they entered incorrect credentials multiple times. They can use the Verify with something else option to sign in using a different authenticator.
End-user tasks
Give these instructions to your end users to help them configure their phone as a security method.
Set up a phone number during sign-in
- Go to your org's sign-in page and enter your username.
- On the Set up security methods page, click Set up for the phone option.
- Select SMS or Voice call.
- From the Country dropdown menu, select your phone number's country.
- Enter your phone number in the Phone number field. Don't include the country code, dashes, or the leading zero if your country's phone system uses it.
- If you selected SMS, you can only provide a mobile phone number.
- If you selected Voice call and your phone number includes an extension number, enter it in the Extension field.
- Click the Receive a code button.
- Enter the OTP that you received in the Enter Code field and click Verify.
After successful verification, complete any other prompts, and then you're signed in. The phone number appears in your End-User Dashboard under
.Add a phone number through the Dashboard
- In the End-User Dashboard, open the dropdown menu under your name and click Settings.
- Go to Set up another. and click
- If prompted, verify your identity.
- On the Set up security methods page, click Set up phone.
- Select SMS or Voice call.
- From the Country dropdown menu, select your phone number's country.
- Enter your phone number in the Phone number field. Don't include the country code, dashes, and the leading zero if your country's phone system uses it.
- If you selected SMS, you can only provide a mobile phone number.
- If you selected Voice call and your phone number includes an extension number, enter it in the Extension field.
- Click the Receive a code button.
- Enter the OTP that you received in the Enter Code field and click Verify. After the successful verification, you're redirected to Settings and the phone number appears in Security Methods.
- Repeat these steps to add another phone number.
Sign in with SMS or voice call
- Go to your org's sign-in page and enter your username.
- On the Verification page, if the phone option isn't available, click Verify with something else.
- On the Security Methods page, select the Phone option.
- Click Receive a code via SMS or Receive a voice call instead.
- Enter the OTP that you received in the Enter Code field and click Verify.
After successful verification, complete any other prompts, and then you're signed in.