Hi Okta Community,
I’ve encountered an issue with SMS factor re-enrollment behavior in Okta and would like to know if anyone has experienced the same or has a solution/workaround.
Here’s the scenario:
- When an SMS factor is initially enrolled, its status is correctly set to
PENDING_ACTIVATION
until activated. - Once activated, the status changes to
ACTIVE
. - If the SMS factor is deactivated and the same phone number is re-enrolled, the status is immediately set to
ACTIVE
without requiring re-verification, contrary to expectations.
This behavior differs from TOTP factors, which revert to PENDING_ACTIVATION
upon re-enrollment until they are re-activated.
Concern:
The immediate activation of SMS factors during re-enrollment poses a potential security risk, as it bypasses the verification process. This could be problematic if the phone number is no longer under the user’s control.
Questions:
- Is this the intended behavior for SMS factors?
- If not, is there a configuration or workaround to enforce
PENDING_ACTIVATION
status for SMS factors upon re-enrollment?
I’ve also raised this issue with Okta Support but wanted to see if the community has encountered this or has any suggestions.
Looking forward to your insights.
Best regards,
Akhilesh