Resetting the phone number via the user dashboard and subsequently re-entering the same phone number will prompt for One Time Password (OTP) activation as expected. However, resetting the phone number via the reset SMS MFA API and adding the same number will display the number as active without requiring an OTP prompt.
- SMS
- API
- Multi-Factor Authentication (MFA)
When removing the SMS factor, compared to other factors, the SMS factor is also set as a recovery method, and when using the normal delete API call as the one below, it will only remove the SMS factor and the phone number from authenticators but not from the recovery method.
DELETE {{url}}/api/v1/users/${userId}/factors/${factorId}
To remove the SMS as both an authentication factor and a recovery method, the API call provided below must be executed:
DELETE {{url}}/api/v1/users/{userId}/factors/{factorId}?removeRecoveryEnrollment=true
Once the number has been removed, it is possible to re-enroll the same number, which will then be in the appropriate status of pending activation.
