# Handling SMS Verification

Aikido supports SMS-based verification for authenticated pentests by provisioning a dedicated phone number for your authentication set.

**Use this feature if your application requires:**

* **SMS 2FA / MFA:** A text message code is required after entering username/password.

{% hint style="info" %}
If your app uses authenticator apps, use [TOTP setup](https://help.aikido.dev/pentests/configure-a-pentest/setting-up-authenticated-testing/handling-two-factor-authentication-totp).

If your app sends codes via Email, use the [Email Verification feature](https://help.aikido.dev/pentests/configure-a-pentest/setting-up-authenticated-testing/handling-email-verification-and-magic-links).
{% endhint %}

#### How it works

In the **Test User** modal, Aikido can create a phone number for your project. You use that number in your login flow, and include it in your instructions with the `<phone_number>` placeholder.

You can open **View Messages** at any time to inspect incoming SMS messages and quickly copy detected verification codes.

#### Setup Guide

{% stepper %}
{% step %}
**Select the SMS Authentication Method**

When adding a test user, choose **Username & Password + SMS Verification**.
{% endstep %}

{% step %}
**Create a Phone Number**

In the **SMS Phone Number** section:

1. Click **Create Phone Number**.
2. Copy the generated number.

<div data-with-frame="true"><figure><img src="https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2F6PnSk1zhDTAmqsimR0I8%2FScreenshot%202026-03-04%20at%2013.03.10.png?alt=media&#x26;token=e4e8c7b7-78c6-455a-b30a-e72c703bddf2" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}
**Use the Number in Your App**

Configure your test user so SMS verification codes are sent to the generated number.
{% endstep %}

{% step %}
**Update Authentication Instructions**

Use explicit, step-by-step instructions and include `<phone_number>` where relevant.

**Example Instruction:**

```
1. Navigate to https://app.example.com/login
2. Enter username: pentest_user
3. Enter password: super_secure_password
4. Click "Log In"
5. Wait for an SMS verification code sent to +1234567890
6. Enter the SMS code and click "Verify"
```

{% endstep %}

{% step %}
**Watch Incoming Messages**

Click **View Messages** to open the SMS inbox:

* Messages appear in real time.
* If a numeric code is detected, use **Copy Code** for quick input/testing.

<div data-with-frame="true"><figure><img src="https://3149773201-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyKbzcQGrx7UtrG0nPZZ7%2Fuploads%2FTwZO0WsY1fquuWt8BwQK%2FScreenshot%202026-03-04%20at%2013.06.38.png?alt=media&#x26;token=5ccb2a1e-26ea-4176-bd27-3b45fc747c72" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}
**Test the Configuration**

1. Click **Save & Test**.
2. The agent runs the login flow, including the SMS verification step.
3. Confirm it reaches the authenticated state.
   {% endstep %}
   {% endstepper %}

#### Troubleshooting

* **No SMS received:** Confirm your app sends codes to the exact generated number and that the test user profile is updated.
* **Placeholder not replaced:** Use the exact token `<phone_number>` in your instructions.
* **Could not create phone number:** Check wallet balance, creating phone numbers is for free but requires you to have enough credits in your wallet to avoid abuse.