I have activated an MFA through SMS. However, it seems that two users can use the same phone number for MFA. Here’s how they can do it:
- User1 registers an account.
- User1 logs in and gets prompted with a phone number with MFA
- User1 provides their phone number and proceeds with the next login steps
- User1 is logged in.
- User2 registers an account.
- User2 logs in and gets prompted with a phone number with MFA
- User2 provides User1’s phone number and proceeds with the next login steps.
- User2 is logged in.
I expect steps 7 to fail because the number is already used by User1. How do I prevent User2 from using User1’s phone number?