Email MFA Codes - Validity Period and Rate Limits

Last Updated: Sep 24, 2024

Overview

This article clarifies how long the code sent via email is valid when a user triggers email MFA. It also specifies how many codes can be requested before hitting rate limits.

Applies To

  • Multifactor Authentication (MFA)
  • Email Factor
  • Email Code Validity

Solution

Email MFA codes follow the MFA transaction lifetime, which means they are good for 5 minutes. The email code expires after 5 minutes, and entering it after 5 minutes will return an error stating that the code is invalid.

The email can be resent from that same screen, allowing the user to try again with a new code.

After 10 minutes, the login transaction expires. When the user enters the code, they will be redirected to the Application Login URI. If there is still an active session, the user will be sent again to the MFA page, where they will get another email sent, and the process starts again

The Email MFA limit is 20 per minute, with the bucket refill rate at 1 per minute. This is not a configurable setting.