Problem statement
Users are restricted from entering the OTP incorrectly too many times, and in how many times they can request a new code. A user enters the wrong OTP 10 times in under 6 minutes and gets this message:
Symptoms
Users input the wrong OTP 10 times and then get this message:
Steps to reproduce
- Enable the One-time password factor (Authenticator) or Phone Message (SMS) factor in MFA
- Set the policy to
Always - Log in
- Enter the wrong OTP code 10 times
Solution
What you observed is the expected behavior as of the current design. Users can fail 10 times until the message Too many failed codes, Wait for some minutes before retrying. is displayed. This means the users should wait at least 6 minutes before making another attempt.
Separate from the rate limit for inputting failed codes is the rate limit for requesting a new code. The rate limits for requesting a new code are as follows:
- Phone (SMS or voice): 10 requests, then the user is limited to requesting one message per hour
- Email OTP: 20 requests, then the user is limited to requesting one message per minute