Mobile number validation and uniqueness

I am playing with dev OKTA account trying to understand how okta handles mobile number.

  1. For 2 users, I entered the same mobile number in the user profile attributes page and saved it, while saving the second user, I expected okta to throw error like “already users exists with mobile number”, but it doesn’t.

  2. When I entered the mobile number, it doesn’t show any steps for mobile number verification like sending the OTP and asking the user to enter the OTP to ensure the mobile number is valid and the user own the number.

Is these experience expected ? Any reasons behind this behaviour ?
Is it happening because of dev account ?

This is expected. Mobile number is just an attribute like any other (except login), so it only has to comply with predetermined constraints on length. I may disappoint you even further, when I say that email is not unique either.

2 Likes

Yep, as @phi1ipp said that attribute isn’t used by Okta for OTP - it’s informational, so there’s no experience to verify the user possesses that phone (unlike when they’re signing up for sms otp).

1 Like

When we want to enable MFA using SMS OTP, can we enable SMS OTP verification flow in OKTA?

Yes, typically the user sets the phone number they want to receive the OTP at. See:

https://help.okta.com/en/prod/Content/Topics/Security/mfa/sms.htm

2 Likes