Provides authentication through one-time passwords delivered via SMS text messages to the user's registered mobile number. This factor offers broad accessibility as it works with any mobile phone capable of receiving text messages.
| Requirement | Status | Description |
|---|
| Mobile Number | ✅ Required | Valid mobile number must be registered during activation |
| Cellular Service | ✅ Required | Device must have active SMS capability |
| SMS Reception | ✅ Required | Phone must be able to receive text messages |
| REL-ID SMS Service | ✅ System Provided | REL-ID platform handles SMS delivery |
- Number Verification: System validates user has registered mobile number
- OTP Generation: 6-digit numeric code generated by system
- SMS Transmission: Code sent via SMS to registered mobile number
- Message Reception: User receives text message with authentication code
- Code Entry: User manually enters 6-digit code on web portal
- Server Validation: System validates entered code against generated code
- Time Validation: Code must be used within expiration window
- Authentication Result: Valid code allows authentication to proceed
| Setting | Location | Description | Impact |
|---|
smsOtp | allowed.auth.factors | Enable/disable SMS OTP for authentication | Controls if SMS OTP available during login |
smsOtp | allowed.reg.factors | Enable/disable SMS OTP registration | Controls if users can register mobile numbers |
- Number Entry: User provides mobile number during activation or in User Portal
- Format Validation: System checks number format and validity
- Test SMS: Verification code sent to provided number
- Confirmation: User enters verification code to confirm number ownership
- Storage: Verified mobile number stored for future authentication use
- Portal Access: User accesses security settings in User Portal
- Re-authentication: Full authentication required before number change
- New Number Entry: User provides replacement mobile number
- Verification SMS: Test code sent to new number for verification
- Confirmation: User enters verification code from new number
- Update Complete: New number replaces old number in system
| Characteristic | Details | Notes |
|---|
| Delivery Time | Usually 1-30 seconds | Can vary by carrier and network conditions |
| Code Length | 6 digits | Standard numeric format |
| Expiration | Configurable (typically 5-10 minutes) | Code becomes invalid after expiration |
| Resend Capability | Available if initial SMS not received | Rate limiting may apply |
| International Support | Depends on SMS service configuration | May have additional costs or restrictions |
- SMS Delivered: Text message successfully reaches user's mobile device
- Code Entered Correctly: User enters exact 6-digit code from SMS
- Within Time Limit: Code used before expiration period
- Number Active: Mobile number is active and can receive messages
| Failure Type | Cause | User Experience | Resolution Options |
|---|
| No Mobile Number | User hasn't registered mobile number | "No mobile number registered" error | Guide user to number registration process |
| SMS Not Delivered | Network issues, invalid number, or carrier blocking | No SMS received | Offer resend option or alternative authentication |
| Wrong Code | User entered incorrect digits | "Invalid code" error message | Allow retry with same code |
| Expired Code | Code used after expiration time | "Code expired" error | Generate and send new code |
| Carrier Issues | SMS service problems or delays | Delayed or missing SMS | Provide alternative authentication methods |
- User Option: "Resend SMS" link available if code not received
- Rate Limiting: Prevents abuse with time delays between resend attempts
- Alternative Methods: System may suggest other authentication factors if SMS consistently fails
- Troubleshooting: Users guided to check phone reception and SMS blocking settings
- Registration Required: Number must be registered before SMS OTP can be used
- Verification Process: All numbers verified through test SMS during registration
- Update Capability: Users can change numbers through User Portal
- Security: Number changes require re-authentication to prevent unauthorised modifications
