I’m thrilled to announce that Azure AD B2C now supports phone-based sign-in and sign-up for apps using B2C custom policy!
With an increasing number of users signing in to apps on their mobile phones and security risks with password, many organizations and developers are looking for ways to make sign-in and sign-up for their customer facing apps more convenient and secure. This feature also takes us a step closer to our vision of passwordless authentication.
With this public preview, Azure AD B2C now supports phone sign-in and sign-up using a phone number and one-time password (OTP). This means that app developers can add a user flow to their app that allows users sign-up and sign-in by simply entering their phone number, which is verified by entering the OTP received via SMS (Figure 1). As with other B2C experiences, this user flow can be fully customized by the developer.
Figure 1. User flow with phone sign-in and sign-up using OTP.
The experience also includes support for seamless account protection and recovery for times when a user loses access to their phone or changes their phone number. During sign up, users are required to provide a recovery email, which is then verified using an OTP (Figure 2).
Figure 2. The screen asking the user for recovery email.
When users change their phone number or don’t have access to their phone, they can use this recovery email to sign in. Updating from an old phone number to a new phone number requires verification via OTP sent to the email address (Figure 3). This mitigates the risk of accidental account takeover in the event of a phone number changing hands from one person to another.
Figure 3. The process of changing phone number is accomplished in three steps: First, user enters their old phone number. Second, user signs in with the OTP sent to the recovery email they provided during sign up. Third and finally, after user successfully verifies their recovery email and signs in, they then verify their new phone number.
In addition, phone based sign-in and sign-up can be used in conjunction with other authentication methods like email based username and password (Figure 4), or social identity providers already supported by Azure AD B2C.
Figure 4. The combined page that contains both sign in and sign up for phone and email.