Configuring SMS and voice authentication

You can enable SMS or voice authentication. When configured, a one-time passcode (OTP) is sent to the user’s mobile device or landline phone, using SMS or telephony voice channels. The OTP is valid for up to 30 minutes.

Learn how to configure SMS and voice authentication in Configuring an MFA policy for strong authentication.
(Workforce only) Specify or restrict the user to a predefined phone number. Learn more: Pre-populating or restricting user registration data.

For PingOne MFA, this is done using the PingOne MFA adapter.
Create custom SMS or voice authentication templates. Learn more in Notification templates.

Localize SMS messages and voice authentication calls:

Learn how to configure supported languages.
Learn how to limit the number of SMS or voice authentication notifications that can be sent per day in Notification Policies.

Learn how to use a custom SMS/Voice sender account with PingOne.

To prevent users from registering their device for SMS or voice authentication, and allow existing users to continue to authenticate, you can disable Allow Pairing in the relevant MFA policy. This option is useful if you want to phase out SMS and voice authentication, in favor of more secure authentication methods. Learn more in Configuring an MFA policy for strong authentication.

Workforce only:

Configure SMS or voice authentication as a backup authentication method. Learn more Configuring backup authentication methods.
- Learn more about the user experience in the PingID End User Guide.

SMS and voice authentication conditions and limitations

The following list describes the conditions and limitations of SMS and voice authentication:

SMS and voice usage limits are defined in the notification policy. Learn more: Notification Policies.
Use of phone numbers with extensions must be enabled in MFA settings. Phone numbers with extensions are supported for voice calls. The phone number must be followed by a comma and the extension number. For example:
- The phone number +12025550123 with the extension 2992 is entered as +12025550123,2992.
- The extension can include the # or * characters. For example, +12025550123,#2992 or +12025550123,2992#.
- If there is more than one extension, a comma should separate the extension and the nested extension. For example, +12025550123,#2992,#2991.
- Each comma generates a 2-second pause. After the call is answered, the extension is dialed after 2 seconds. If a pause is required for longer than 2 seconds, add an additional comma for each additional 2-second pause. For example, in +12025550123,#2992,,,#2991, three commas generate a 6-second pause before the nested extension.
Virtual numbers are not supported, and delivery success rates for virtual numbers are therefore likely to be lower than fixed numbers.
Because of Chinese regulatory limitations, use of voice OTPs in China is disabled.
In some cases, SMS OTPs in China may be blocked because of Chinese regulatory limitations. Therefore, it is recommended to use the Twilio Verify service in China. To enable this service, contact your Ping Identity sales representative.
In India and Saudi Arabia, OTPs are sent by SMS in transactional mode.
Transactional SMS messages include PingID or PingOne MFA as part of the sender ID.
Customers that are using Ping Identity’s SMS default account might receive SMS messages from a pre-registered alphanumeric Sender ID. This is necessary in countries with regulations that require Ping Identity to use a pre-registered Sender ID. You can find a list of requirements by country in Twilio requirements and Vonage requirements.
In countries that use alphanumeric sender IDs, sender IDs might vary depending on the SMS provider used.

Voice authentication end users should change their voicemail password from their device default, or disable voicemail if using voice OTP authentication. An attacker could potentially direct an OTP voice call to a voicemail by calling the victim at the same time. In the event of an attack, the OTP will be recorded in the voicemail and will be subject to its password protection.