Related to
Access
What is the issue you’re encountering
I’d like to use SMS or WhatsApp as well as email as an option to send OTP. I’ve previously set a basic app up that works on email OTP login, but for my next app I’d like to be able to send via SMS or WhatsApp as well. I don’t actually need to restrict the users, but I do need to keep an access log. Seems that CF Zero Trust Access could work perfectly if it wasn’t email only. Has anyone else managed to do this, may be creating a generic OIDC? Or using a different solution?
Adding SMS or WhatsApp as an OTP method in Cloudflare Zero Trust would massively boost flexibility. I faced this limitation too and ended up integrating a separate OIDC proxy for multi-channel OTP delivery. Logging and fallback logic were handled through Phonexa, which streamlined the flow. Native support for SMS would still be a game-changer for many use cases.
I don’t think an SMS to a Zero Trust is interesting. SMS can be more easily intercepted and is not encrypted…
And email cannot be intercepted? SMS or WhatsApp support would be a game changer and put this on a par with other solutions.
Of course they can be, but they are much more secure and email providers encrypt it by default. SMS aren’t encrypted, can be easily monitored, and they’re not recommended by security experts or even governments (that aren’t behind the times).
And I didn’t say anything about WhatsApp…
Out of curiosity how much per user, per month extra would you be willing to pay for this feature if it wasn’t included in a basic plan?
And would you be willing to pay for spray and pray login attempts or only valid phone numbers?
From an implementation standpoint would you maintain a list of valid numbers with country code in lists or what would be the mechanism?
Curious because there’s nothing stopping me from writing a cloud based implementation that does this and sends a SAML response to Cloudflare similar to their OTP implementation.
1 Like