Overview
This article explains how to prevent SMS for MFA messages from being sent to specific phone numbers that may be maliciously requesting the SMS code.
Applies To
- SMS MFA
- Block Phone Numbers
Solution
This can be achieved by a Phone Message Action after setting the MFA delivery mechanism in Auth0 to ‘Custom’.
- Read more about Phone Message Actions here: Send Phone Message Flow
Add an ‘if’ condition towards the top of the script that checks the recipient number and returns prematurely before actually sending the text to the SMS provider (such as Twilio). The list of blocked phone numbers can be stored as a hard-coded array. Here is an example:
exports.onExecuteSendPhoneMessage = async (event) => {
const recipient = event.message_options.recipient;
const BLOCKED_NUMBERS = [ "+1234567890" ];
if (BLOCKED_NUMBERS.includes(recipient)) {
return;
}
// ... rest of the code to send the SMS
}