Last Updated: Dec 6, 2024
Overview
This article provides answers to the following questions:
- Is Auth0 providing any security validation when it using endpoint /passwordless/start?
- Are all phone numbers valid?
- Is auth0 detecting VOIP numbers as valid numbers?
- Is auth0 validating ISD code (which country we allow numbers from)?
- Are we validating real numbers from virtual ones?
Applies To
- Passwordless
- /passwordless/start Endpoint
- User Validation
- SMS
Solution
The only check that Auth0 performs on its side is whether or not the string matches the regex pattern:
^\+[0-9]{1,15}$
All other validation that occurs is on the side of the SMS provider. With Twilio, when the SMS fails to send the code, there should be a tenant log with type:f that has an error description that contains a code. This code links up with Twilio’s documentation.
For example, the error message “Permission to send an SMS has not been enabled for the region indicated by the ‘To’ number: +912222222222. (Code: 21408)” links up with this document.
Edit Solution