Block Certain Phone Numbers from Receiving SMS for MFA

Overview

This article explains how to prevent SMS for MFA messages from being sent to specific phone numbers that may be maliciously requesting the SMS code.

Applies To

  • SMS MFA
  • Block Phone Numbers

Solution

This can be achieved by a Phone Message Action after setting the MFA delivery mechanism in Auth0 to ‘Custom’.

Add an ‘if’ condition towards the top of the script that checks the recipient number and returns prematurely before actually sending the text to the SMS provider (such as Twilio). The list of blocked phone numbers can be stored as a hard-coded array. Here is an example:

exports.onExecuteSendPhoneMessage = async (event) => {
  const recipient = event.message_options.recipient;
  const BLOCKED_NUMBERS = [ "+1234567890" ];

  if (BLOCKED_NUMBERS.includes(recipient)) {
    return;
  }

  // ... rest of the code to send the SMS
}