Skip to content

Add MFA with SMS OTP

SMS OTP (One-Time Password) is a security mechanism where a password is sent to the user's registered mobile number, which they must enter during the login process. This password is typically valid for a short period.

During SMS OTP authentication, the user must access their mobile device to retrieve the OTP. This method ensures that only the person who has access to the registered mobile number can log in, providing an additional layer of security.

Follow the instructions given below to configure Multi-Factor Authentication (MFA) using SMS OTP in WSO2 Identity Server.

Prerequisites

Info

You can use SMS OTP for multi-factor authentication only if a previous authentication step is configured with username and password or another factor that can validate user credentials.

Set up SMS OTP

WSO2 Identity Server has some default settings for SMS OTP, which are sufficient for most cases. If required, you can change the default settings, as explained below.

To update the default SMS OTP settings:

  1. On the WSO2 Identity Server Console, go to Connections and select SMS OTP.

  2. Update the following parameters in the Settings tab:

    Setup SMS OTP in WSO2 Identity Server

    Field Description
    SMS OTP expiry time Specifies the expiry time of the OTP. The generated OTP will not be valid after this expiry time.
    Use only numeric characters for OTP Specifies whether to use only numeric characters in the OTP. If this is selected, the generated OTP contains only digits (0-9). If this option is not selected, the OTP will contain alphanumeric characters.
    SMS OTP length Specifies the number of characters allowed in the OTP.

  3. Once you update the SMS OTP settings, click Update.

Enable SMS OTP for an app

To enable SMS OTP for MFA, you need to add SMS OTP in the authentication flow of the application.

Follow the steps given below.

  1. On the WSO2 Identity Server Console, go to Applications.
  2. Select the application to which you wish to add SMS OTP.

  3. Go to the Login Flow tab of the application and add the SMS OTP authenticator from your preferred editor:

    1. Go to Predefined Flows > Add Multi-factor Login.

    2. Select Username + Password -> SMS OTP.

    3. Click Confirm to add passwordless login with email OTP to the sign-in flow.

      Configuring SMS OTP authenticator in WSO2 Identity Server using the visual editor

    4. Select Enable backup codes if you wish to allow users to use backup codes to log in to the application. Learn more about configuring backup codes for users.

  4. Click Update to save your changes.

How it works

When SMS OTP is enabled in the login flow of your application, the application user will be prompted with the SMS OTP authentication step once the first authentication step is completed. Given below are the high-level steps that follow:

  1. WSO2 Identity Server sends the OTP to the user's mobile number.

  2. WSO2 Identity Server prompts the user to enter the OTP code.

    Authenticate with SMS OTP in WSO2 Identity Server

  3. If required, the user can request WSO2 Identity Server to resend the OTP. The new OTP invalidates the previously sent OTP.

  4. The user enters the OTP and clicks Continue.
  5. If the authentication is successful, the user can access the application.