Email MFA Codes - Expiration and Rate Limits

Problem Statement

If a user triggers email MFA, how long do they have to enter the code sent via email? How many codes can be requested before hitting rate limits?

Steps to Reproduce

Trigger Email MFA and wait 5 minutes


Email MFA codes follow the MFA transaction lifetime, which means they are good for 5 minutes. The email code expires after 5 minutes. Entering the code after 5 minutes will return an error stating that the code is invalid.

The email can be resent from that same screen, allowing the user to try again with a new code.

After 10 minutes, the login transaction expires. When the user enters the code, they will be redirected to the Application Login URI. If there is still an active session, the user will be sent again to the MFA page, where they will get another email sent, and the process starts again

The Email MFA limit is 20 per minute, with the bucket refill rate at 1 per minute. This is not a configurable setting.