<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008G7UoCSAVOkta Classic EngineDevices and MobilityAnswered2024-04-30T09:18:25.000Z2015-09-04T03:59:16.000Z2018-08-12T04:15:12.000Z

  • j5v7c (j5v7c)

    We often get questions around if it is really secure to use SMS as a second factor from Okta Mobile? Shouldn't it really be a second device? Great question. It's probably not practical to ask users to carry around two devices, but using SMS or Okta Verify on the same mobile device as Okta Mobile is still really multiple factors of authentication. The user must enter their username and password the first time the login, or at least their PIN if they have already logged into Okta Mobile. This is the first factor (something they know). The second factor is the device itself. The SMS code is just how Okta validates the user is in possession of that device (something they have). It's a great topic for discussion however. As the lines between desktop OS and mobile OS begins to blur, for example, now I can get my SMS messages to any of iCloud connected device. That's the nice thing about Okta Verify as your MFA - it is tied to a device, not just an account.

     

    Original Author: Arturo Hinojosa

    Expand Post
    Selected as Best

  • j5v7c (j5v7c)

    We often get questions around if it is really secure to use SMS as a second factor from Okta Mobile? Shouldn't it really be a second device? Great question. It's probably not practical to ask users to carry around two devices, but using SMS or Okta Verify on the same mobile device as Okta Mobile is still really multiple factors of authentication. The user must enter their username and password the first time the login, or at least their PIN if they have already logged into Okta Mobile. This is the first factor (something they know). The second factor is the device itself. The SMS code is just how Okta validates the user is in possession of that device (something they have). It's a great topic for discussion however. As the lines between desktop OS and mobile OS begins to blur, for example, now I can get my SMS messages to any of iCloud connected device. That's the nice thing about Okta Verify as your MFA - it is tied to a device, not just an account.

     

    Original Author: Arturo Hinojosa

    Expand Post
    Selected as Best

  • Jamis Eichenauer (Customer)

    Do not use SMS, use OTP tokens, either hard or soft tokens. SMS is not secure. Verizon and other providers have proven in the past to allow attackers to change the SIM card on a given account while only verifying minimal or publically available information, allowing someone with your password to intercept the 2FA SMS and login to your account. I would treat SMS as low as security questions in terms of a "secure" 2FA option. More info: https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/
    Expand Post
This question is closed.
Loading
Why Use SMS for MFA in Okta Mobile