MFA Brute force protection

Problem statement

Is it possible to lock the account if users have too many wrong MFA code attempts?
Is there any place we can set the threshold for how many wrong MFA attempts we allowed?

Solution

This is not currently supported, however the endpoints that are used to accept the codes are rate limited to provide a degree of protection from a brute force attack. After 10 failed attempts in a row the user will need to wait before they can make another attempt, this will be logged as the following event:

gd_otp_rate_limit_exceed // Too many failures

A user, during enrollment or authentication, enters an incorrect code more than the maximum allowed number of times. Ex: A user enrolling in SMS enters the 6-digit code wrong more than 10 times in a row.