Feature:
Different error code for users in rate limit is necessary when a user attempt MFA SMS using Guardian-js-sdk.
Description:
We implemented MFA SMS using Guardian-js-sdk, and found 2 problems about it.
As you know, when a user enter an incorrect SMS code over 10 times, the user will be locked or in rate limit.
But, Auth0’s response error code is same “invalid_otp” when user enters an incorrect SMS code and when user is locked.
So, we can’t show users correct message according to the user’s status because we can’t distinguish whether the user enter incorrect code or the user is locked.
We found that there is no error code something like “too_many_incorrect_input”.
In above case, the user can still send a new SMS code,
and the user will get same response message “invalid_otp” even though the user enters correct new SMS code.
So, we suggest 2 improvement.
Return different error code when the user enters a incorrect SMS code and when the user is locked.
Prevent users from sending a new SMS code and show them message like “You can’t send SMS code because account is locked. Wait for a while” when their account locked.
Ambiguous Error Code: The invalid_otp error is too generic. It doesn’t differentiate between a user making a simple typo in the SMS code and a user being subject to a rate limit or account lock due to too many failed attempts.
You’ve accurately described a common challenge when implementing MFA with Auth0’s Guardian-js-sdk. The issue stems from the invalid_otp error code being returned for both incorrect SMS codes and when a user hits a rate limit (gets locked out due to too many failed attempts). This makes it difficult to provide specific.