Allow users to put in their own mobile number for 2fa
R
Richard T
I just turned on 2fa for CitrusLime and when you click on 'Setup for SMS' the user has to have a number already associated with their account before finalising this.
for larger companies this is no good as the administrator will have to go through, collect numbers and then add numbers for 200+ people, this will take days out of a users time to do this.
to appeal to your larger customers, there needs to be a self service area for the users. we've had to turn off 2fa until we can work out next steps
allowing a user to enter their own number is how any other system works, e.g. Dojo which is a payment provider with super high security
Neil McQuillan - CEO Citrus-Lime
Personally I wonder if its worth considering moving to 'Auth App' based flow, these are more reliable, faster and more secure.
🔐 Why SMS-based 2FA is being phased out
• SIM-swap attacks: Attackers can transfer a phone number to a new SIM and intercept codes.
• Message interception: SMS is transmitted in plain text and can be spoofed or redirected.
• Network dependency: No signal = no 2FA access.
• Slower user experience: Code delivery latency (especially when roaming) often causes login friction.
⸻
✅ Why authenticator-app 2FA is better
• Higher security: TOTP (time-based one-time password) codes are generated locally, not sent over the network.
• Offline operation: Works even without mobile coverage.
• Better UX: Instant code access or push-notification approval (“tap to approve”).
• Compatibility: Supported by most major identity providers (Azure AD, Okta, Google, etc.).
• More reliable recovery: Backup/transfer support through encrypted cloud sync in modern apps (e.g., Authy, Microsoft Authenticator).
Neil McQuillan - CEO Citrus-Lime
You can also use centralised TOTP code generators which allow you to disable them for staff members who have left or are outside of the business for a period. Zoho Vault is held in high regard by many of our customers.
Suzy Weightman
Hi Richard,
Thanks for the feedback.
We purposefully removed the step that allows users to enter their own number during 2FA setup, as we deemed it to be insecure — if a user’s credentials were ever compromised, this would allow a bad actor to register any mobile number and gain access.
To maintain account integrity, only existing numbers can be used for SMS-based 2FA. Because of this, we don’t plan to change the current flow.
For larger teams, we’d recommend using the Authenticator app option instead — it avoids the need to manage mobile numbers centrally and provides a higher level of security overall.
Thanks,
Suzy
R
Richard T
Suzy Weightman Thanks Suzy, the issue with authenticator inside citruslime is we have to contact support to get this reset. hopefully this won't happen too often. a self service portal would be awesome where users can put in backup email addresses, reset password, change numbers etc. maybe in the future :)