Clarification for Phone MFA Authentication IDs

Problem statement

When querying the Authentication Methods for a given user who enrolled in Phone Message MFA, the following array is returned:

    "id": "phone|dev_****",
    "type": "phone",
    "confirmed": true,
    "phone_number": "XXXXXXXX****",
    "created_at": "2023-12-14T16:40:14.876Z",
    "last_auth_at": "2023-12-14T16:41:02.563Z",
    "preferred_authentication_method": "voice",
    "authentication_methods": [
        "id": "sms|dev_****",
        "type": "sms"
        "id": "voice|dev_****",
        "type": "voice"

Why are there three ‘id’ attributes that have different prefixes such as ‘phone’ or ‘sms’? What is the meaning of these different IDs? If the authentication methods need to be deleted/updated for a given user in the future, which ‘id’ should be used in order to make those requests?


These ID values are all expected when a user enrolls in Phone Message MFA. Using the sample payload included above will help to explain the differences:

  1. The first “id”: “phone | dev_***” exists because Phone Message was enabled as an MFA option in the tenant. Think of this as the main device’s (a user’s phone) id.
  2. Under the authentication_methods object, the “id”: “sms | dev_" and “id”: "voice | dev_” are showing because the user had requested both a Voice message and SMS. If they had only chosen SMS or Voice, then the authentication_methods object would only have the option they elected to use.

Regardless of the type (“sms” or “voice”) of the authentication method showing in the user profile, any of the three ID values can be used to pull the authentication methods. For example, this Management API Authentication Methods endpoint will return the authentication methods regardless of which it is used.