Telephony Validation versus Authentication


Is it possible to disallow Phone Call for authentication while still allowing phone call for validation when using self-registration?


If you disable “Phone Callback” as an authentication method then that also prevents it from being used in the self-enrollment portal.

Note that the phone number is only used for callback during enrollment if someone is trying to enroll a phone that was already assigned to a different user.

If someone is enrolling a brand new device and phone callback is disabled by policy, the user is able to enter the device’s phone number during enrollment and then continue on to install and activate Duo Mobile for push approvals. When they reach the end of the enrollment process phone call authentication wouldn’t be available, leaving the user to choose any other permitted method.

However, when phone callback is disabled by policy and a user tries to enroll a phone that already exists, that user is blocked from continuing past submitting the phone number. Instead of showing the screen where the user can select to call or text the number to verify ownership, we instead indicate that the number can’t be used for authentication.