Issue with SMS Factor Status on Re-enrollment

Hi Okta Community,

I’ve encountered an issue with SMS factor re-enrollment behavior in Okta and would like to know if anyone has experienced the same or has a solution/workaround.

Here’s the scenario:

  1. When an SMS factor is initially enrolled, its status is correctly set to PENDING_ACTIVATION until activated.
  2. Once activated, the status changes to ACTIVE.
  3. If the SMS factor is deactivated and the same phone number is re-enrolled, the status is immediately set to ACTIVE without requiring re-verification, contrary to expectations.

This behavior differs from TOTP factors, which revert to PENDING_ACTIVATION upon re-enrollment until they are re-activated.

Concern:

The immediate activation of SMS factors during re-enrollment poses a potential security risk, as it bypasses the verification process. This could be problematic if the phone number is no longer under the user’s control.

Questions:

  • Is this the intended behavior for SMS factors?
  • If not, is there a configuration or workaround to enforce PENDING_ACTIVATION status for SMS factors upon re-enrollment?

I’ve also raised this issue with Okta Support but wanted to see if the community has encountered this or has any suggestions.

Looking forward to your insights.

Best regards,
Akhilesh

Hello @akhileshihare24!Thank you for reaching out on the Okta Developer Forum.

Are you using any Okta SDKs to achieve this? If so, which version?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.