Feature:
Different error code for users in rate limit is necessary when a user attempt MFA SMS using Guardian-js-sdk.
Description:
We implemented MFA SMS using Guardian-js-sdk, and found 2 problems about it.
- As you know, when a user enter an incorrect SMS code over 10 times, the user will be locked or in rate limit.
But, Auth0’s response error code is same “invalid_otp” when user enters an incorrect SMS code and when user is locked.
So, we can’t show users correct message according to the user’s status because we can’t distinguish whether the user enter incorrect code or the user is locked.
We found that there is no error code something like “too_many_incorrect_input”.
- In above case, the user can still send a new SMS code,
and the user will get same response message “invalid_otp” even though the user enters correct new SMS code.
So, we suggest 2 improvement.
-
Return different error code when the user enters a incorrect SMS code and when the user is locked.
-
Prevent users from sending a new SMS code and show them message like “You can’t send SMS code because account is locked. Wait for a while” when their account locked.