MFA : Sending SMS While Authentication

Hi,

I have integrated Okta with .net Web Api. When the user provides username and password, I am calling Okta domain API for Authentication. Authentication is being successful, however, the Authentication Status is ‘MFA_REQUIRED’.

I have a user who registered for MFA with SMS Authentication. In the API call I am getting “factor” array with factor type as ‘sms’.
When authentication API is called from my application,

  1. Does okta sends SMS to the user’s mobile phone ?. OR
  2. Should I call one more Okta API to send the SMS ?

If we go by #1, then the user is not receiving any SMS. Please suggest how should I move forward with MFA verification.

P.S, During the authentication API call, in the response, factors array has phone number as “phoneNumber”: “+91 XXXXX X1234”. Is this the expected format from the response ?.

it’s option #2 - you need to call Factor API, which makes Okta to send SMS to your user. The phone number itself won’t be published, but you don’t need it (it’s only to present to user, so that he knows, which number to expect SMS to).

As an alternative option, you can user Okta Sign-In widget which takes all of that from your shoulders and much more (it takes care of user status and also self-service functionality)

You will need to call this API to challenge MFA : https://developer.okta.com/docs/reference/api/authn/#verify-factor

I would recommend checking the transaction states here: https://developer.okta.com/docs/reference/api/authn/#verify-factor because authentication is multi-step process.

Thanks.