You’ve accurately described a common challenge when implementing MFA with Auth0’s Guardian-js-sdk. The issue stems from the invalid_otp error code being returned for both incorrect SMS codes and when a user hits a rate limit (gets locked out due to too many failed attempts). This makes it difficult to provide specific.
Best Regards