When using passwordless authentication with email via one-time-password (x digit verification code) the documentation (see below) clearly states:
“Only the last one-time password (or link) issued will be accepted. Once the latest one is issued, any others are invalidated. Once used, the latest one is also invalidated.”
The problem for many of our users is the following:
The email send to the users inbox might not arrive within a few seconds. The mail might be delayed due to greylisting or they end up in the users spam folder. Whilst the user is unaware of that delay, they are repeatedly requesting (a new) verfication code. But because this will generate a complete new code each time they request the verification code, they will find a whole bunch of emails (in their inbox or spam folder) each with a different verification code. So they don’t have a chance to guess which of those codes they’ll have to present to the authentication service. Once they start guessing, they’ll become frustrated or (even worse) exceed the limit of failed attempts - making the very last verification code invalid:
“Only three failed attempts to input the one-time password are allowed. After this, a new code will need to be requested.”
In this situation, they’ll end up with lots of frustration and might think, something went wrong and they will contact our support (or even worse, give up). Thats not a pleasent user experience.
Are there any plans, to be extend the configuration of this type of authentication method, to resend the same (!) verfication code until it’s OTP expiry has exceeded?