When configured, a 6-digit one-time passcode (OTP) is sent to the user's mobile device or landline phone, using SMS or telephony voice channels. The OTP is valid for up to 30 minutes.


A screen capture of an OTP SMS message.

You can:

To view usage limits for SMS and voice, see SMS and voice usage limits.

Note:

To prevent users from registering their device for SMS or voice authentication, and allow existing users to continue to authenticate, see Disabling pairing for a specific authentication method. This option is useful if you want to phase out SMS and voice authentication, in favor of more secure authentication methods.

The following list describes the conditions and limitations of SMS and voice authentication:

  • Phone numbers with extensions are supported for voice calls. The phone number must be followed by a comma and the extension number. For example:
    • The phone number +12025550123 with the extension 2992 is entered as +12025550123,2992.
    • The extension can include the # or * characters. For example, +12025550123,#2992 or +12025550123,2992#.
    • If there is more than one extension, a comma should separate the extension and the nested extension. For example, +12025550123,#2992,#2991.
    • Each comma generates a 2-second pause. After the call is answered, the extension is dialed after 2 seconds. If a pause is required for longer than 2 seconds, add an additional comma for each additional 2-second pause. For example, in +12025550123,#2992,,,#2991, three commas generate a 6-second pause before the nested extension.
  • Virtual numbers are not supported, and delivery success rates for virtual numbers are therefore likely to be lower than fixed numbers.
  • Because of Chinese regulatory limitations, use of voice OTPs in China is disabled.
  • In some cases, SMS OTPs in China may be blocked because of Chinese regulatory limitations. Therefore, it is recommended to use the Twilio Verify service in China. To enable this service, contact your Ping Identity sales representative.
  • In India and Saudi Arabia, PingID sends OTPs through SMS in transactional mode.
  • Transactional SMS messages include "PingID" as part of the sender ID.
  • Customers that are using Ping Identity’s SMS default account might receive SMS messages from a pre-registered alphanumeric Sender ID. This is necessary in countries with regulations that require Ping Identity to use a pre-registered Sender ID. For a list of requirements by country, see Twilio requirementss and Vonage requirements.
  • Additional sender ID numbers are available for the PingID SMS and voice OTP services so users can receive OTP text messages or voice calls from a different number. Generally, after the new number is set, the user will receive the PingID SMS or voice OTP from that number in the future. In cases of SMS or voice delivery technical issues, the user can receive the OTP text messages or voice calls from a new number, provided by a fallback SMS provider.
Note:

Voice authentication end users should change their voicemail password from their device default, or disable voicemail if using PingID voice OTP. An attacker could potentially direct an OTP voice call to a voicemail by calling the victim at the same time. In the event of an attack, the OTP will be recorded in the voicemail and will be subject to its password protection.

For information about the user experience, see the PingID End User Guide.