As noted in this ZeroTek Knowledge Base article, Okta has discontinued SMS and voice services as authentication factors. Okta's decision reflects industry best practices and addresses the growing sophistication of threats that target these outdated authentication methods. For ZeroTek-licensed tenants, this change took effect February 1, 2025. For bring-your-own-license (BYOL) Okta orgs, the change takes (or will take) effect at each org's renewal date.
SMS and voice are increasingly vulnerable to attacks and do not meet modern security standards, which emphasize phishing-resistant mechanisms. SMS and voice can easily be compromised through SIM hacking and are not device-bound, meaning authentication codes can be intercepted and rerouted to a threat actor's device. These authenticators also produce a poor user experience compared to the authenticators ZeroTek recommends. For a full overview of ZeroTek's authenticator guidance, see Authenticators β MSP best practices.
What if your customer cannot use recommended authenticators?
If you have customers who cannot use the recommended authenticators, make sure they understand the limitations and vulnerabilities of this choice. You can continue using SMS and voice as authenticators by integrating your own telephony provider with Okta β see Integrating SendGrid and Twilio with Okta for voice and SMS authenticators for step-by-step instructions. For background on the Okta notification that prompted this change, see Okta notification: Bring Your Own Telephony Required for SMS & Voice.