Email OTP code submission through proxy, "You've reached the maximum number of attempts. Please try to login again"

peterju · January 12, 2021, 6:36pm

Hi,

We’ve implemented a passwordless login service that asks the user for an OTP code. We receive this OTP code & email through AWS Lambda, and that function acts as a proxy to send a request to our auth0 endpoint, with the following data:

        data: {
          grant_type: 'http://auth0.com/oauth/grant-type/passwordless/otp',
          username: payload.email,
          otp: payload.emailCode,
          realm: 'email',
          audience: ...,
          scope: ...,
          client_id: ...,
          client_secret: ...,
        },

Keep in mind that we have a truly passwordless implementation, where the OTP code is the sole way that users can verify their emails in our app.

This works well when the code provided is correct. When the code provided is incorrect, the response is a 403 with the following data:

  data: {
    error: 'invalid_grant',
    error_description: 'Wrong email or verification code.'
  }

which is expected. However, when the code is wrong more than twice, then we start receiving a 403 with the following data instead:

  data: {
    error: 'invalid_grant',
    error_description: "You've reached the maximum number of attempts. Please try to login again."
  }

Which struck me initially as a rate-limit message but from inspecting the headers, it is not a rate-limit issue:

    'x-ratelimit-limit': '30',
    'x-ratelimit-remaining': '29',

So it seems to be a protection for limiting the number of requests that a client is able to make for a given email, before they are locked out. Only after I refresh my page, am I able to make the two attempts with the OTP code, and then again, I keep receiving the ‘You’ve reached the maximum number of attempts’ message.

My questions are the following:

Where can I find more documentation about the ‘You’ve reached the max # of attempts’ error_description? A google search didn’t provide me with much
How can I increase the number of attempts from 2 bad attempts, as this is too limited
Why does refreshing the page seem to cause this ‘reseting’ behaviour, although no information about the client is part of the payload to auth0? Does this potentially have to do with our lambda proxying implementation?

trungdzung9900 · June 1, 2021, 3:45am

Do you have a solution for this issue. I have the same problem

karan · January 14, 2022, 7:56pm

Do you find the solution? I am also facing the same issue.

daniel19 · March 23, 2023, 3:52pm

I have the same problem.

davetrust · November 7, 2023, 5:37pm

I’m encountering the same issue, exactly as described by @peterju

Can you guys please look into this or at least respond? Nearly three years and you haven’t even been polite enough to respond to the question.

nathan.jenkins · January 9, 2024, 4:50pm

Hi @davetrust , welcome to the Auth0 community and thanks for bringing this thread back to our attention.

I’m not sure about the specifics for point 3 and why it allows the code to be entered again after a refresh, perhaps further investigation into the tenant logs might help to understand clearer.
As for the other query and specific to the ‘You’ve reached the maximum number of attempts’ message - This is an attack protection limit that is built into the passwordless connection. Information can be found here in our docs.

Unfortunately its not a limit that can be altered or increased currently, instead the user needs to request a new code once the limit has been reached after 3 failed attempts.

Hope this info helps you and others that may come across the failure message. Thanks

davetrust · January 9, 2024, 5:39pm

You know you don’t need to bother responding on this thread if that’s the kind of “help” you’re giving. Can you perhaps pass this along to someone at Auth0 with more experience in these matters?