Feature:
Implement SMS as password reset option without requiring SMS Phone Number as a unique identifier.
Description:
This feature is common in most applications and CIAM platforms today. This feature is also available in Okta CIS and a lot of our customer users are also clammoring for this ‘basic’ feature.
The problem of forcing Phone Numbers to be a Unique Identifier right now is that a lot of customer facing apps have ‘reused’ Phone Numbers due to them helping out their ‘non-techy’ spouse / relatives / etc.
This use case is common to mid-market to high end market where users are not that well versed with technology (and some don’t even have email addresses), but they simply want to do a password reset using their SMS via OTP.
An example of this use case would be for Airlines, High End Online Retail (with demographics of 30-70), High End Loyalty Platforms (catering to big spenders with mix tech-savy and non-tech-savy).
Hoping this feature would be prioritized because it is weird that the new universal login experience missed this feature while all the other CIAM platforms and common flows in the market requires this.
I do like to note that we are aware of the NIST 800-63 standard about SMS verification, however, not all our customers want to adhere to this ‘standard’ as this does not yet apply strongly to their user base.