Why Use SMS for MFA in Okta Mobile Skip to main content
https://support.okta.com/help/answers?id=906f0000000bln6iai&refurl=http%3a%2f%2fsupport.okta.com%2fhelp%2fanswers
How satisfied are you with the Okta Help Center?
Thank you for your feedback!
How satisfied are you with the Okta Help Center?
1
2
3
4
5
Very Dissatisfied
Very satisfied
Enter content less than 200 characters.
Ask Search:
ThomasThomas (Okta, Inc.)  

Why Use SMS for MFA in Okta Mobile

Best Answer chosen by Thomas (Okta, Inc.) 
ThomasThomas (Okta, Inc.) 
We often get questions around if it is really secure to use SMS as a second factor from Okta Mobile? Shouldn't it really be a second device? Great question. It's probably not practical to ask users to carry around two devices, but using SMS or Okta Verify on the same mobile device as Okta Mobile is still really multiple factors of authentication. The user must enter their username and password the first time the login, or at least their PIN if they have already logged into Okta Mobile. This is the first factor (something they know). The second factor is the device itself. The SMS code is just how Okta validates the user is in possession of that device (something they have). It's a great topic for discussion however. As the lines between desktop OS and mobile OS begins to blur, for example, now I can get my SMS messages to any of iCloud connected device. That's the nice thing about Okta Verify as your MFA - it is tied to a device, not just an account.

Original Author: Arturo Hinojosa
 

All Answers

ThomasThomas (Okta, Inc.) 
We often get questions around if it is really secure to use SMS as a second factor from Okta Mobile? Shouldn't it really be a second device? Great question. It's probably not practical to ask users to carry around two devices, but using SMS or Okta Verify on the same mobile device as Okta Mobile is still really multiple factors of authentication. The user must enter their username and password the first time the login, or at least their PIN if they have already logged into Okta Mobile. This is the first factor (something they know). The second factor is the device itself. The SMS code is just how Okta validates the user is in possession of that device (something they have). It's a great topic for discussion however. As the lines between desktop OS and mobile OS begins to blur, for example, now I can get my SMS messages to any of iCloud connected device. That's the nice thing about Okta Verify as your MFA - it is tied to a device, not just an account.

Original Author: Arturo Hinojosa
 
This was selected as the best answer
Okta ReportingOkta Reporting
Do not use SMS, use OTP tokens, either hard or soft tokens. SMS is not secure. Verizon and other providers have proven in the past to allow attackers to change the SIM card on a given account while only verifying minimal or publically available information, allowing someone with your password to intercept the 2FA SMS and login to your account. I would treat SMS as low as security questions in terms of a "secure" 2FA option. More info: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/