Unlock account with voice disabled skips authenticator-verification-data step

[JeremyGuinn]

Describe the bug

Starting the unlock account flow with an okta environment setup to only use text message for recovery automatically selects SMS and skips the authenticator-verification-data step.

I'm calling the flow as follows:

await okta.idx.unlockAccount({
  username: "my_user",
  authenticator: "phone_number",
});

This successfully starts the flow, and the user is immediately sent the text message. The forgot password flow works correctly, and takes the user to the authenticator-verification-data step.

Looking at the requests, the SDK is automatically adding methodType: 'SMS' to the request, which is causing the API to skip the step. When I test the api directly with the payload only including the identifier and authenticator, it correctly takes me to the authenticator-verification-data step.

Payload results in transition to authenticator-verification-data

{
    "identifier": "[email protected]",
    "authenticator": {
        "id": "{phone_authenticator_id}"
    },
    "stateHandle": "some_long_state_handle"
}

Payload results in transition to challenge-authenticator, and the text was sent without confirmation

{
    "identifier": "[email protected]",
    "authenticator": {
        "id": "{phone_authenticator_id}"
        "methodType": "sms"
    },
    "stateHandle": "some_long_state_handle"
}

Reproduction Steps?

1. Configure okta policy to disable voice call for recovery and authentication
2. Call idx.unlockAccount
3. Call idx.proceed with the username and authenticator as phone_number

SDK Versions

System:
OS: Windows 10 10.0.19044
CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
Memory: 5.66 GB / 31.79 GB
Binaries:
Node: 18.12.1 - C:\Program Files\nodejs\node.EXE
Yarn: 1.22.19 - C:\Program Files\nodejs\yarn.CMD
npm: 8.19.2 - C:\Program Files\nodejs\npm.CMD
Browsers:
Edge: Spartan (44.19041.3570.0), Chromium (118.0.2088.57)
npmPackages:
@okta/okta-angular: ^6.2.0 => 6.2.0
@okta/okta-auth-js: ^7.4.2 => 7.4.2

Additional Information?

It looks like the issue is caused here: SelectAuthenticatorUnlockAccount.ts#L44-L52

[denysoblohin-okta]

Thanks for reporting this issue
Internal ref: OKTA-664665

[ultrma]

Hi @denysoblohin-okta , is there any update on this issue?

[denysoblohin-okta]

As a workaround you can use low-level API methods like

await authClient.idx.start({
  flow: 'unlockAccount',
});

await authClient.idx.proceed({
  identifier: "[email protected]",
  authenticator: {
    id: "{phone_authenticator_id}"
  },
  step: "select-authenticator-unlock-account",
});

await authClient.idx.proceed({
  authenticator: {
    id: "{phone_authenticator_id}",
    methodType: "sms"
  },
  step: "authenticator-verification-data",
});

instead of using unlockAccount

[ultrma]

@denysoblohin-okta , I tried the way you suggested. It still redirects me to code verification page directly.
If I remove the "methodType: 'sms'" in the second idx.proceed call, it prompts the "Send Code" page, but when I click "Send Code" button through my UI, I don't receive any code back for some reason. Any idea?

[denysoblohin-okta]

but when I click "Send Code" button through my UI, I don't receive any code back for some reason.

You mean you don't receive SMS on your phone?
Have tried different accounts with different phone numbers? (to make sure it's not a problem with specific phone number)

[ultrma]

@denysoblohin-okta , yes.
And you are right. It's something wrong with my account.
We tried another one and it worked well. We can present "send code" page now.

Thanks for your helping. I really appreciate.