SMS Verification is a multi-factor authentication method. After it is enabled, users must enter a one-time verification code sent to their bound phone number after entering the correct account and password. This adds an extra layer of protection to the account.
Path: Console → open the target application → top navigation Configuration → Security Settings → Multi-factor Authentication
1. Application Configuration
1.1 Enable SMS Verification
-
In the Factor Management section, find the SMS Verification card and turn on the switch on the right.
-
After it is enabled, users under the current application must complete secondary verification when they log in with a password. Third-party login and verification-code login are not affected.
-
If the application uses RootAuth built-in SMS, SMS Verification is enabled directly and RootAuth shows SMS verification factor enabled successfully.
-
If a custom SMS provider has been configured, you need to enter the template ID for Login secondary verification when enabling SMS Verification. RootAuth saves the template configuration and enables the factor.
Tip: SMS Verification, Email Verification, and OTP can be enabled or disabled independently.
1.2 Disable SMS Verification
-
Turn off the SMS Verification switch.
-
Before disabling the factor, RootAuth shows a confirmation dialog. After you confirm, the factor is disabled and RootAuth shows SMS verification factor disabled successfully.
-
After SMS Verification is disabled, password login no longer triggers SMS-based secondary verification.
Disabling SMS Verification does not delete users' bound phone numbers or saved SMS service and template configurations.
1.3 Configure SMS Templates (Optional)
When SMS Verification is enabled, you can configure the SMS template used for login secondary verification.
-
Path: Branding → SMS → Domestic SMS Service / International SMS Service.
-
In the provider configuration, find the template ID field for Login secondary verification.
-
If you use built-in SMS, no template ID is required. RootAuth uses its built-in SMS template.
-
If you use Alibaba Cloud SMS, Tencent Cloud SMS, or Ucloud SMS, enter the corresponding template ID for the current provider.
Note: If you enable SMS Verification before configuring a custom SMS provider, the Login secondary verification template ID is required. Otherwise, SMS MFA may not be able to send verification codes.
1.4 Configure Phone Number Region Code Policy
SMS Verification uses the user's phone number. When a user binds a phone number for the first time, the region code dropdown follows the Allowed login region codes setting in Login Control.
-
Path: Application Management → Login Control → Phone number region code policy.
-
If a user has not bound a phone number, they can only select a region code allowed by the login region code policy when completing SMS MFA for the first time.
-
Region codes are displayed in the format
+code Country/Region, such as+86 China.
2. User Verification Flow
2.1 Prerequisites
-
SMS Verification is enabled for the application.
-
The user logs in with an account and password.
-
The SMS service configuration of the current application can send verification codes successfully.
2.2 First-Time Phone Number Binding
-
The user enters the correct account and password on the application login page and clicks login.
-
After RootAuth verifies the credentials, the user is redirected to the Login Secondary Verification page.
-
If the user has not bound a phone number, the page asks the user to enter a phone number and request a verification code.
-
The user selects a region code, enters a phone number, and clicks Get Verification Code.
-
The user enters the SMS verification code and clicks Confirm.
-
After verification succeeds, the phone number is bound and the user is logged in and redirected to the application callback URL.
2.3 Verification Flow for Bound Phone Numbers
-
The user enters the correct account and password on the application login page and clicks login.
-
After RootAuth verifies the credentials, the user is redirected to the Login Secondary Verification page.
-
The page displays the user's masked phone number, such as
+86 134****9804. -
The user clicks Get Verification Code, and RootAuth sends an SMS code to the bound phone number.
-
The user enters the verification code and clicks Confirm.
-
After verification succeeds, the user is logged in and redirected to the application callback URL.
If multiple factors are enabled: users can switch between available methods on the secondary verification page. The display order is OTP Verification, Email Verification, and Phone Number Verification.
2.4 Resend Verification Code
-
If the user does not receive the SMS within 60 seconds or the code expires, they can request another code.
-
The button enters a 60-second countdown and can be clicked again after the countdown ends.
2.5 Verification Code Rules
-
If the same IP sends more than 60 verification codes within 1 hour, the security policy is triggered.
-
After the policy is triggered, RootAuth shows: Verification codes are being sent too frequently. Please try again after 24 hours.
-
If the user enters incorrect verification codes 6 consecutive times across enabled factors, the account cannot log in for 1 hour.
3. User Details Management
Administrators can view a user's SMS Verification binding status on the user details page.
Path: User Management → Users → open a user → find the Multi-factor Authentication section
-
View: If the user has completed SMS Verification, this section displays the masked phone number.
-
Reset: SMS Verification currently cannot be reset from this section.
-
Global MFA bypass switch: this switch is shared by all verification methods. After it is turned off, the user bypasses all MFA. After it is turned on again, the user follows the application's MFA configuration.
The phone number itself is not deleted when SMS Verification is disabled. To change a user's phone number, edit it in the basic information section of the user details page.
4. Logs and Auditing
After SMS Verification is enabled, user behavior logs record related events:
-
Event type: Secondary authentication - SMS
-
Recorded fields: user, IP, country, time, result (success/failure), and failure reason.
You can view these records in Audit Logs → User Behavior Logs.
;}.cls-2{fill:%230868f7;}.cls-3{fill:url(%23未命名的渐变_44);}.cls-4{fill:%23333;}%3c/style%3e%3clinearGradient%20id='未命名的渐变_8'%20x1='33.73'%20y1='100.61'%20x2='-0.03'%20y2='-1.06'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0'%20stop-color='%237ae9fb'/%3e%3cstop%20offset='0.67'%20stop-color='%232b90f8'/%3e%3cstop%20offset='1'%20stop-color='%230868f7'/%3e%3c/linearGradient%3e%3clinearGradient%20id='未命名的渐变_44'%20x1='27.86'%20y1='18.67'%20x2='68.36'%20y2='22.22'%20gradientUnits='userSpaceOnUse'%3e%3cstop%20offset='0'%20stop-color='%235ac7f2'/%3e%3cstop%20offset='1'%20stop-color='%230868f7'/%3e%3c/linearGradient%3e%3c/defs%3e%3cpath%20class='cls-1'%20d='M29,28.74V81.91l-9.51-3.68v0L8.52,74A7.17,7.17,0,0,1,4,67.32V24.54A3.76,3.76,0,0,1,9.08,21Z'/%3e%3cpath%20class='cls-2'%20d='M68.09,78.07a13.15,13.15,0,0,1-17.9,12.06L29,81.91h0V28.74L50.19,37A13.17,13.17,0,0,0,68.08,25.3h0Z'/%3e%3cpath%20class='cls-3'%20d='M68.08,25.3a13.19,13.19,0,0,1-6.73,10.87A13.09,13.09,0,0,1,50.19,37L29,28.74V6A3.76,3.76,0,0,1,34.1,2.52l25.59,9.91A13.22,13.22,0,0,1,68.08,25.3Z'/%3e%3cpath%20class='cls-4'%20d='M129.06,81.76a4.33,4.33,0,0,1-3.19-1.31,4.4,4.4,0,0,1-1.31-3.24V56.86H97.65V77.21a4.36,4.36,0,0,1-1.35,3.2A4.68,4.68,0,0,1,93,81.76a4.32,4.32,0,0,1-3.19-1.31,4.37,4.37,0,0,1-1.32-3.24V27.27A4.58,4.58,0,0,1,89.83,24a4.59,4.59,0,0,1,7.82,3.27V48.15h26.91V27.27A4.58,4.58,0,0,1,125.91,24a4.59,4.59,0,0,1,7.82,3.27V77.21a4.37,4.37,0,0,1-1.36,3.2A4.65,4.65,0,0,1,129.06,81.76Z'/%3e%3cpath%20class='cls-4'%20d='M163.77,81.66c-6.57,0-11.76-1.92-15.44-5.7s-5.54-9.07-5.54-15.74a26.76,26.76,0,0,1,2.09-10.43,17.72,17.72,0,0,1,6.67-8.06,19.15,19.15,0,0,1,10.68-2.95,19,19,0,0,1,10.46,2.8,18.7,18.7,0,0,1,6.55,7.36,22.53,22.53,0,0,1,2.36,10.28A4.51,4.51,0,0,1,177,63.77H152.23a10.8,10.8,0,0,0,3.49,6.65c2,1.68,4.88,2.52,8.66,2.52a22.25,22.25,0,0,0,7.54-1.21c.74-.3,1.55-.67,2.37-1.07a3.75,3.75,0,0,1,1.84-.4,4.09,4.09,0,0,1,3,1.15,4,4,0,0,1,1.12,3,4.38,4.38,0,0,1-2.58,3.82,32.34,32.34,0,0,1-6.36,2.61A28.67,28.67,0,0,1,163.77,81.66ZM172.4,55.9a9.72,9.72,0,0,0-1.63-4.56A9.9,9.9,0,0,0,167,48a10.38,10.38,0,0,0-4.64-1.14,12,12,0,0,0-4.77,1.06,9.54,9.54,0,0,0-4.89,5.66,11.78,11.78,0,0,0-.51,2.3Z'/%3e%3cpath%20class='cls-4'%20d='M193,81.64a4.49,4.49,0,0,1-4.51-4.55V27.28A4.58,4.58,0,0,1,189.84,24a4.48,4.48,0,0,1,3.28-1.36A4.36,4.36,0,0,1,196.35,24a4.46,4.46,0,0,1,1.31,3.31V77.09a4.34,4.34,0,0,1-1.35,3.2A4.67,4.67,0,0,1,193,81.64Z'/%3e%3cpath%20class='cls-4'%20d='M263.79,81.71a5.7,5.7,0,0,1-4.2-1.74,5.76,5.76,0,0,1-1.73-4.19V27.37a4.58,4.58,0,0,1,1.35-3.27A4.59,4.59,0,0,1,267,27.37V72.53h24a4.58,4.58,0,0,1,3.27,7.82A4.66,4.66,0,0,1,291,81.71Z'/%3e%3cpath%20class='cls-4'%20d='M424.48,81.74a4.71,4.71,0,0,1-2.71-.88,5.43,5.43,0,0,1-1-1l-.07-.09-12.41-17-5.41,5v9.44a4.31,4.31,0,0,1-1.36,3.19,4.66,4.66,0,0,1-3.3,1.36A4.29,4.29,0,0,1,395,80.42a4.36,4.36,0,0,1-1.32-3.23V27.37A4.58,4.58,0,0,1,395,24.1a4.52,4.52,0,0,1,6.58.12,4.54,4.54,0,0,1,1.24,3.15V56.31l17.72-16.38.05,0a4.8,4.8,0,0,1,2.94-1.11,4.4,4.4,0,0,1,3.27,1.2,4.57,4.57,0,0,1,1.2,3.27,4.44,4.44,0,0,1-.77,2.33,7.45,7.45,0,0,1-1.43,1.65l-11,9.64,13.34,17.68a5,5,0,0,1,1,2.71,4.12,4.12,0,0,1-1.36,3.24A4.64,4.64,0,0,1,424.48,81.74Z'/%3e%3cpath%20class='cls-4'%20d='M317.93,81.76a21.5,21.5,0,1,1,21.17-21.5A21.37,21.37,0,0,1,317.93,81.76Zm0-34.1a12.61,12.61,0,1,0,12.42,12.6A12.52,12.52,0,0,0,317.93,47.66Z'/%3e%3cpath%20class='cls-4'%20d='M212.18,101.22a4.12,4.12,0,0,1-3.05-1.26,4.17,4.17,0,0,1-1.26-3.1V43.34a4.37,4.37,0,0,1,1.3-3.14,4.26,4.26,0,0,1,3.13-1.3,4.19,4.19,0,0,1,3.1,1.26,4.32,4.32,0,0,1,1.26,3.16,20.77,20.77,0,0,1,13-4.54,21.51,21.51,0,0,1,0,43,20.51,20.51,0,0,1-13-4.57V96.86a4.15,4.15,0,0,1-1.3,3.06A4.5,4.5,0,0,1,212.18,101.22Zm17.43-53.63c-6.23,0-12.93,4.11-12.93,12.72a12.73,12.73,0,0,0,25.46,0A12.71,12.71,0,0,0,229.61,47.59Z'/%3e%3cpath%20class='cls-4'%20d='M365.76,81.76a21.5,21.5,0,1,1,21.18-21.5A21.37,21.37,0,0,1,365.76,81.76Zm0-34.1a12.61,12.61,0,1,0,12.42,12.6A12.52,12.52,0,0,0,365.76,47.66Z'/%3e%3c/svg%3e)