Handling Twilio SMS 'STOP' Opt-Outs in FusionAuth MFA Workflows
-
When using Twilio for Multi-factor Authentication with SMS, there is a built-in functionality that if a user replies "Stop" to a text, all future communication for that number is blocked. If this happens, the user will no longer be able to receive a code to log-in. What is the best way to work around this?
-
This is a known issue with Twilio’s SMS service. A good approach is to use a dedicated Twilio phone number only for MFA codes, and another number for other notifications so users are less likely to reply with “STOP.” Alternatively, you could switch to other MFA methods like TOTP, using apps such as Google Authenticator or Authy, or use email-based MFA. Keep in mind that once a user sends “STOP,” Twilio blocks all future messages until they opt back in by texting “START.” Educating users not to reply “STOP” to MFA messages is also helpful.