How long are Email MFA Codes valid for

Problem Statement

If a user triggers email MFA, how long do they have to enter the code sent via email?

Solution

Email MFA codes follow the MFA transaction lifetime, which means they are valid for 5 minutes.

This is how it works:

  • The email expires after 5 minutes. If you enter after 5 minutes, it tells you the code is invalid.
  • You can resend the email from that same screen can try again with the new code.
  • After 10 minutes, the login transaction expires. When the user enters their code, they’d be redirected to the Application Login URI. Given there’s already a session, the user will land again in the MFA page where they’ll get another email sent, and the process starts again.

Reference

https://auth0.com/docs/troubleshoot/authentication-issues/troubleshoot-mfa-issues#if-your-transaction-expires