Telephony

You can connect an external telephony service provider with Okta to verify a user's identity or allow them to authenticate using their phone. The telephony provider sends a one-time passcode (OTP) to the user's phone through an SMS message or voice call. The user uses this OTP to verify their identity before accessing their account or apps.

You can use the Phone OTP for the following common use cases:

• Issue a challenge that requires a response from the user to verify an authenticating factor.
• Enroll a device for multifactor authentication (MFA) by verifying that the authenticating user has the phone with them.
• Authorize a password reset.
• Authorize an account unlock.

For orgs that use Workforce Identity Cloud to manage employee profiles, app access, and provisioning, telephony can provide the foundation for using SMS messages or voice calls for MFA or account recovery.

For orgs that use Customer Identity Cloud, telephony enables partners, resellers, suppliers, distributors, and consumers to authenticate using SMS messages or voice calls. Telephony also supports users who are most likely to interact with the org using a smartphone or telephone service.

Potential risks of identity verification with SMS and voice call

While easy to use, a phone OTP isn't a guaranteed way to verify a user's identity.

SIM swapping or hijacking

An OTP sent through an SMS message or voice call may not go to the intended phone device. An undesired entity can swap or steal the user's SIM card to access the OTP.

Uncertainty of the device possession

Some users sync their SMS messages across multiple devices, such as their tablet or laptop. They may also access the messages online. In these cases, the user can still access the OTP even when they don't have their phone with them or if their phone is lost. Similarly, anyone who has access to these other devices and web browsers can gain access to the OTP.

Lack of phishing resistance

An undesired entity can convince the user to share the OTP sent to the user's phone. See Phishing Resistance and Why it Matters.

Also see Okta solutions for phishing resistance.

Use a robust authenticator

Given the risks of using the phone authenticator, Okta recommends that you use a more robust authenticator. This authenticator verifies the user presence. Also, it's device-bound, hardware-protected, and phishing-resistant. Such authenticators include authenticator apps, email magic links, or FIDO2 (WebAuthn). See Multifactor authentication.

Choose the right telephony provider

Before you configure telephony for your org, choose an external telephony service provider. Ensure that it meets your business needs and regulatory requirements for the regions where you're sending OTPs.

• Choose telephony provider
• Regulatory compliance
• Prevent or mitigate telephony-based fraud

If you're migrating from Okta telephony to an external telephony provider, see Migrate from Okta telephony.

Set up an external telephony provider

Configure your telephony service provider and connect it with Okta to send OTPs.

1. Set up an external web service. This service then calls your telephony provider. Alternatively, configure Okta Workflows to call your telephony provider.

   You may skip this step if your telephony provider offers an API integration with Okta, for example, Telesign. Check your telephony provider's documentation for details.

2. Configure a telephony inline hook.
3. Connect to an external telephony service provider
4. Configure the phone authenticator
5. Customize your telephony service.