How can a user change their phone number that is being used for TFA?
- Risk Based Authentication (RBA)
Phone verification using SMS or voice call is a supported authentication level supported by Gigya's RBA feature.
Gigya does not support users simply changing their two-factor authentication (TFA) phone number by updating their profile information. An administrator will need to make a call to the
accounts.tfa.deactivateProvider REST API method to reset the user's TFA devices, and on the user's next login the user will be prompted to setup a new phone number.
Note: For security reasons Gigya recommends doing this only after the requestor has provided sufficient verification that they are the account owner. Alternatively, it is also possible to build a custom flow using this API method that lets users reset their number after some form of step-up authentication (e.g. re-enter password).