Hi everyone,
I’m currently using Auth0 with the following setup:
-
New Universal Login
-
Username/password authentication
-
Custom Database Connection
-
Mobile number or username as the identifier
-
Authentication profile uses Identifier + Password (Default)
-
Custom SMS provider for OTP delivery
We are using Auth0’s forgot password flow with mobile number support.
The current flow works like this:
-
User enters their mobile number
-
OTP is sent via SMS
-
User verifies the OTP
-
User resets the password
The issue we are facing is related to OTP expiration.
Currently, the OTP only becomes invalid when a new OTP is requested. Otherwise, the same OTP remains valid indefinitely.
Our requirement is:
- OTP should automatically expire within 3 minutes even if the user does not request a new OTP.
Since we are using Universal Login, custom database connections, and a custom SMS provider, I would like to know:
-
Does Auth0 provide any built-in way to enforce OTP expiration for this flow?
-
Can OTP expiry be configured through Auth0 (we are not using the Passwordless flow)?
Would appreciate any guidance or best practices from anyone who has implemented a similar setup.
Thanks!