Issue with SMS Factor Status on Re-enrollment

Hi Okta Community,

I’ve encountered an issue with SMS factor re-enrollment behavior in Okta and would like to know if anyone has experienced the same or has a solution/workaround.

Here’s the scenario:

  1. When an SMS factor is initially enrolled, its status is correctly set to PENDING_ACTIVATION until activated.
  2. Once activated, the status changes to ACTIVE.
  3. If the SMS factor is deactivated and the same phone number is re-enrolled, the status is immediately set to ACTIVE without requiring re-verification, contrary to expectations.

This behavior differs from TOTP factors, which revert to PENDING_ACTIVATION upon re-enrollment until they are re-activated.

Concern:

The immediate activation of SMS factors during re-enrollment poses a potential security risk, as it bypasses the verification process. This could be problematic if the phone number is no longer under the user’s control.

Questions:

  • Is this the intended behavior for SMS factors?
  • If not, is there a configuration or workaround to enforce PENDING_ACTIVATION status for SMS factors upon re-enrollment?

I’ve also raised this issue with Okta Support but wanted to see if the community has encountered this or has any suggestions.

Looking forward to your insights.

Best regards,
Akhilesh

Hello @akhileshihare24!Thank you for reaching out on the Okta Developer Forum.

Are you using any Okta SDKs to achieve this? If so, which version?