I’m using the Okta API in a web application to allow users to activate/deactivate a SMS MFA factor on their accounts.
I’m running into an issue as detailed below, on a newly created account:
- An SMS factor is enrolled via the Enroll Okta SMS Factor API method.
- This factor is subsequently activated via the Acivate SMS Factor API method.
- Then we deactivate the factor using the Reset Factor API method.
All of this works fine and without errors, however, now when trying to enroll a SMS factor again:
If using the same phone number: No security code will be sent and SMS two-factor auth will be enabled without requiring verification (status=ACTIVE).
Why the status is ACTIVE instead of PENDING_ACTIVATION?
Is there a way to force the sending of the SMS in this scenario?
- This do not happen with Voice Call method (in that case the status is PENDING_ACTIVATION)
- Adding a “Sign On” rule with “Prompt for Factor” checked don’t make any difference.