Okta API: SMS Multi-factor Issue


#1

I’m using the Okta API in a web application to allow users to activate/deactivate a SMS MFA factor on their accounts.

I’m running into an issue as detailed below, on a newly created account:

  1. An SMS factor is enrolled via the Enroll Okta SMS Factor API method.
  2. This factor is subsequently activated via the Acivate SMS Factor API method.
  3. Then we deactivate the factor using the Reset Factor API method.

All of this works fine and without errors, however, now when trying to enroll a SMS factor again:

If using the same phone number: No security code will be sent and SMS two-factor auth will be enabled without requiring verification (status=ACTIVE).

Why the status is ACTIVE instead of PENDING_ACTIVATION?
Is there a way to force the sending of the SMS in this scenario?

  • This do not happen with Voice Call method (in that case the status is PENDING_ACTIVATION)
  • Adding a “Sign On” rule with “Prompt for Factor” checked don’t make any difference.

#2

I can confirm this bug exists for SMS factors and not for TOTP factors.

The first time a phone number is enrolled as an SMS factor, Okta reports its status: ‘PENDING_ACTIVATION’. Once that SMS factor is activated, Okta reports its status: ‘ACTIVE’. If that SMS factor is deactivated and the same phone number is re-enrolled, Okta incorrectly reports the SMS factor status: ‘ACTIVE’ when it should be ‘PENDING_ACTIVATION’.

When re-enrolled, a TOTP factor will correctly report its status: ‘PENDING_ACTIVATION’ until the factor is re-activated. Is there some reason why the SMS factor behavior is different?


#3

Hey, Any update on this?

Is there any plan to fix this bug or is it as per design, highly unlikely?


#4

Hi @darkmatter

Please open a support ticket either from Okta Support Portal or by sending an email to support@okta.com to have this issue further investigated.