Problem statement
Is Auth0 providing any security validation when it using the /passwordless/start endpoint?
Are all phone numbers valid?
Is Auth0 detecting VOIP numbers as valid numbers?
Is Auth0 validating ISD code (which country we allow numbers from)?
Are we validating real numbers from virtual ones?
Solution
The only check that Auth0 performs is whether or not the string matches the regex pattern:
^\\+[0-9]{1,15}$
All other validation that occurs is on the side of the SMS provider. With Twilio, when the SMS fails to send you should see a tenant log with type:f that has an error description that contains a code. This code links up with Twilio’s documentation.
For example, the error message “Permission to send an SMS has not been enabled for the region indicated by the ‘To’ number: +912222222222. (Code: 21408)” links up with the documentation: Error 21408 | Twilio