This is a feature request to add support for mobile phone verification.
It is similar to the idea of email verification, but for mobile. Most, if not all, other major auth providers support this feature. I’d propose two different options to give each developer when it comes to mobile verification:
Required in signup flow - In order to complete signup, the user inputs their mobile, receives a verification code over sms, and inputs it before they can proceed.
Optional later - At any point, a user can choose to verify their mobile. They click on a link in the app akin to “Verify mobile”. They receive a code via sms and enter it into the app.
The idea behind the first use case, is sometimes you need to verify a user’s phone number before they can create an account. The idea behind the second is similar. Sometimes you need to verify their number before they can access certain features.
If you have your own use case or implementation requirements for this feature, please reply with it so I can improve this request!
Hey Dan! Great question. So, the use case I am considering here is one where your business needs don’t necessarily require MFA, rather you just need to verify the user’s phone number using a one-time code. This would be simple enough to implement separately using a little service and something like Twilio or SNS, but I thought it would be tidier to have it within Auth0 since email & email verification is already there.
+1 on this use case. Looking through the Auth0 SMS MFA solutions in the AUTH0 dashboard I assumed it alluded to this possibility, however, researching and reading this post has confirmed not. Interestingly we will need to create our own integration to Twilio to achieve verify. With that said when implementing SMS verification in Auth0 we could use custom provider that interfaces with own Twilio service to decouple it from Auth0 now we have this use case.
We offer a step-up MFA feature, which is similar to SMS verification. You should be able to configure SMS as the primary factor and prompt for MFA, which would require the user to verify their SMS.
It’s not quite the same use case as some of the users have described above, but it may work for you.
Gotcha. Thanks for pointing to the link. This was helpful and I find some use-cases to challenge user with MFA for accessing certain features. Like how Facebook asks you for re-entering password if you want to change some developer settings. This link was helpful.
However, my primary use case is the second case as mentioned in the post. Where I don’t want to force a user to verify his mobile until he wants to access certain features. Once he has verified his mobile, then I will never ask him to verify again.
+1 We have a clear and compelling use case for this related to our customer service. Differs from SMS MFA b/c we’re thinking of it as a 1-many as people may provide multiple phone numbers. @dan.woda Any update on if/when this might be available?
I have a similar case . The flow is similar to passwordless authentication with sms but allowing the user to update the mobile number at a later point if needed. I cant find a way to verify the mobile number and otp