Forgot Password OTP Expiration Issue in Auth0 Universal Login When Using Mobile Number for OTP Delivery

yamunanga · May 11, 2026, 2:36pm

Hi everyone,

I’m currently using Auth0 with the following setup:

New Universal Login
Username/password authentication
Custom Database Connection
Mobile number or username as the identifier
Authentication profile uses Identifier + Password (Default)
Custom SMS provider for OTP delivery

We are using Auth0’s forgot password flow with mobile number support.

The current flow works like this:

User enters their mobile number
OTP is sent via SMS
User verifies the OTP
User resets the password

The issue we are facing is related to OTP expiration.

Currently, the OTP only becomes invalid when a new OTP is requested. Otherwise, the same OTP remains valid indefinitely.

Our requirement is:

OTP should automatically expire within 3 minutes even if the user does not request a new OTP.

Since we are using Universal Login, custom database connections, and a custom SMS provider, I would like to know:

Does Auth0 provide any built-in way to enforce OTP expiration for this flow?
Can OTP expiry be configured through Auth0 (we are not using the Passwordless flow)?

Would appreciate any guidance or best practices from anyone who has implemented a similar setup.

Thanks!

nik.baleca · May 11, 2026, 8:42pm

Hi @yamunanga

Welcome to the Auth0 Community!

Auth0 does not currently provide a built-in way to customize or enforce a strict 3-minute OTP expiration specifically for the Database Connection password reset flow.
OTP expiry configuration is currently strictly limited to the Passwordless flow. For standard Database Connections utilizing phone number identifiers, Auth0 controls the underlying OTP lifecycle, and the expiration time is not exposed as a configurable setting.

I would highly recommend submitting a feature request on the community or upvote one which was previously created on the same matter.

Otherwise, your options would be to either shift to a Passwordless flow for your application (which is not ideal I believe) or to externalize the password reset flow through a custom portal handled by your backend.

If you have any other questions, let me know!

Kind Regards,
Nik

Topic		Replies	Views
Universal login SMS expiration message Get Help mfa , mfa-prompt-new-experience	1	290	August 1, 2024
What is expiry and attemp-failed of "Generate one-time password"'s action in flows? Get Help community-topic , other	8	646	January 13, 2025
Unable to Configure True Passwordless (Email OTP + SMS OTP) Without Password-Based Login Get Help login-experience , new-universal-login-experience	2	56	January 27, 2026
Reset password without URL Get Help login-experience , reset-password-prompt-new-experience	4	62	January 14, 2026
How to implement One-Time-Password authentication flow with client, server, database and Auth0 Get Help general-question	2	7648	September 10, 2020

Forgot Password OTP Expiration Issue in Auth0 Universal Login When Using Mobile Number for OTP Delivery

Related topics