You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: _source/_posts/2024-08-15-otp-over-sms.md
+13-13
Original file line number
Diff line number
Diff line change
@@ -11,15 +11,12 @@ tweets:
11
11
image: blog/telephony/social.jpg
12
12
type: conversion
13
13
---
14
-
{% include toc.md %}
15
-
16
-
## Approaches to keep sending OTP over SMS... for now
17
-
18
-
"SMS has long played an important role as a universally applicable method of verifying a user's identity via one-time passcodes. And over the last decade, SMS and voice-based Multifactor Authentication has prevented untold attempts to compromise user accounts.
19
-
20
-
But it's time to move on."
21
14
22
-
– Ben King, VP Customer Trust: [BYO Telephony and the future of SMS at Okta](https://sec.okta.com/articles/2023/08/byo-telephony-and-future-sms-okta?_gl=1*50v0v8*_gcl_au*NzM2MTA4NjA5LjE3MTk5NTY2MDU.*_ga*MTE1NjAwNzQxNC4xNjY0OTc5MTk3*_ga_QKMSDV5369*MTcyMjg4MjA0Ni4yODIuMS4xNzIyODgzNDM3LjYwLjAuMA..&_ga=2.145329393.498111759.1722873073-1156007414.1664979197)
15
+
> SMS has long played an important role as a universally applicable method of verifying a user's identity via one-time passcodes. And over the last decade, SMS and voice-based Multifactor Authentication has prevented untold attempts to compromise user accounts
16
+
>
17
+
> But it's time to move on."
18
+
>
19
+
> <cite>Ben King, VP Customer Trust: [BYO Telephony and the future of SMS at Okta](https://sec.okta.com/articles/2023/08/byo-telephony-and-future-sms-okta)</cite>
23
20
24
21
## SMS/Voice is too SIMple
25
22
@@ -33,19 +30,22 @@ The one-time passcode (OTP) you send using SMS or Voice may not go to the phone
33
30
34
31
* Longer login times than other methods
35
32
36
-
Okta [recommended moving away](https://www.okta.com/blog/2020/05/why-you-should-ditch-sms-as-an-auth-factor/)[ from SMS/Voice authentication](https://www.okta.com/blog/2020/05/why-you-should-ditch-sms-as-an-auth-factor/) some time ago. There are many other factors you can use for authentication, including:
33
+
Okta [recommended moving away](/blog/2020/05/why-you-should-ditch-sms-as-an-auth-factor/) from [SMS/Voice authentication](/blog/2020/05/why-you-should-ditch-sms-as-an-auth-factor/) some time ago. There are many other factors you can use for authentication, including:
37
34
38
35
* Generating codes in an authenticator app such as Okta Verify, Authy, Google Authenticator, or 1Password.
39
36
40
37
* FIDO2.0 (WebAuthn) which, in addition to phones, can use hardware keys and on-device authenticators.
41
38
42
39
Soon, [Okta will](https://support.okta.com/help/s/article/bring-your-own-telephony-required-for-sms-and-voice?language=en_US)[ require you to bring your own telephony provider](https://support.okta.com/help/s/article/bring-your-own-telephony-required-for-sms-and-voice?language=en_US) to keep sending those codes. If you need time to move to a different method of verifying identity, you must configure your own provider for SMS/Voice.
43
40
41
+
{% include toc.md %}
42
+
43
+
44
44
## Hooked on telephony
45
45
46
46
You can send the OTP in the SMS/Voice flow using the [telephony inline hook](https://help.okta.com/oie/en-us/content/topics/telephony/telephony-inline-hook.htm). Okta uses the code or URL in the hook to send the OTP, though, as you'll see, the hook may not be called every time (and that's a good thing). When your hook fails to send the message or takes too long to update the status, Okta takes over sending the message. However, the number of those messages is heavily rate-limited.
47
47
48
-
The code or URL you provide may simply send the message and communicate the outcome to Okta. The code or server may be more complex, managing geo-specific vendors, failure, failover to another provider, and hacking. No matter how easy or complex the code, there are three main approaches:
48
+
The code or URL you provide may simply send the message and communicate the outcome to Okta. The code or server may be more complex, managing geo-specific vendors, failure, failover to another provider, and hacking. No matter how simple or complex the code, there are three main approaches:
49
49
50
50
1. Implement the code and use your own telephony provider or providers.
51
51
@@ -67,7 +67,7 @@ Second, the features and regulations for traffic may differ from region to regio
67
67
68
68
* Registration of a sender ID for your business. For example, messages without a valid sender ID are automatically marked as "Likely-SCAM" in Singapore.
69
69
70
-
* Using *short codes*–special telephone numbers designed for high traffic. This can add significant cost.
70
+
* Using *short codes*, which are special telephone numbers designed for high traffic. This can add significant cost.
71
71
72
72
* Supported formats, such as ASCII and Unicode.
73
73
@@ -119,7 +119,7 @@ Implementing custom code is similar to adding a somewhat complex feature to your
119
119
120
120
Moving to a service provider minimizes the technical requirements, though there's still vendor management and monitoring.
121
121
122
-
## Designing a DIY Hook
122
+
## Designing a DIY hook
123
123
124
124
The first step in implementing a telephony hook is finding a vendor. There are at least three essential criteria:
If you rely on SMS for authentication, start thinking about how to replace it. In the meantime, use what you've learned in this post to keep your solutions as secure as possible.
0 commit comments