Hi Experts,
We are trying to explore email verification with code OOTB feature but struggling to achieve it. Below is the explanation which we are trying:
- User clicks on “Signup” link present at Okta.
- Fill up the details (default, by Universal login), and submit.
3. Now instead of sending link for “Email Verification” to user’s email address, how we can keep user to the screen where user can validate Email address via code – means, SMS factor enrollment screen should only appear to user only if he is completed with email verification step in continuation of Registration completion.
So, #3 is something where we are struggling.
Problem here is, suppose a bad actor knows email address of legitimate user then he may enter his email address during Signup and could enters his own Mobile number at the time of SMS factor enrollment (of bad actor) which he can validate via OTP without any issues. So, next time during login he can use his own SMS MFA factor to login which actually fraudulently letting bad actor to gain access to all resources of legit user.
Not sure if this feature is present in Okta CIC OOTB to handle on this much needed scenario because we are going to follow OOTB feature of Okta CIC (Auth0).
Thanks,
Aditya