Improved Behavior for MFA Verification Code with SMS

This article describes a small change to the MFA behavior with SMS verification codes in the Cato Client. No action is required.

Overview of the Change to the Cato Client

In a few weeks, Cato will change the behavior for verification codes sent over SMS messages for Multi Factor Authentication (MFA). When the SMS MFA code expires, end-users will request to send a verification code to their mobile device. Then they can enter the code to complete the authentication process.

The previous behavior was that as soon as the SMS MFA code expired, the Cato Client automatically requested a verification code, and it was then sent to the end-user’s device. This meant that end-users could receive SMS messages at unnecessary or inconvenient times.

The new behavior lets end-users receive SMS MFA verification codes at a time that is convenient for them.

Who is Impacted by this Change?

Accounts that use MFA via SMS either as a setting for the entire account or for individual SDP users in the account. The following screenshot shows an example of Authentication settings set to MFA using SMS method:


The change also impacts accounts that are set to Any instead of SMS.


Note: Accounts that only use SSO for authentication for all SDP users, and the SSO provider is set to require MFA, are not impacted by this change.

What Changes Do I Need to Make?

No action is required on your part or by end-users. All SDP users that are required to authenticate with MFA and SMS codes will be automatically upgraded to the new behavior. Cato is starting the gradual roll-out for the new behavior for MFA verification code with SMS in a few weeks. If necessary, please announce this small change and let the end-users in your organization know about the new behavior.

This applies to Clients on all supported OS and devices.

Who Do I Talk to if I Have Questions?

Please contact Support, or your authorized Cato representative.

Explanation of the Old Client Behavior and the New Client Behavior

When end-users are connected to the network and the MFA session expires, they need to enter a new SMS verification code to re-authenticate to the Client. This is a common scenario for accounts that use Always On (Clients are forced to always connect to the network).

The following sections explain the end-user experience for the old and new behavior to re-authenticate to the network with an MFA verification code over SMS.

Old Client Behavior (Before August 2022)

  1. MFA session expires, and the Client tries to automatically re-connect to the network.

  2. An SMS verification code is automatically sent to the end-user.

    The end-user can enter the code in the Client to re-authenticate.

  3. If the end-user doesn't use the code to re-authenticate, a new code is sent periodically.

New Client Behavior (After August 2022)

  1. MFA session expires, and the Client tries to automatically re-connect to the network.

  2. The Client shows that the authentication is expired, and the end-user can click Send me a Code to request an SMS verification code.

  3. After receiving the code, the end-user enters the code in the Client to re-authenticate.


Was this article helpful?


Add your comment