MFA limits for OTP and SMS failed input

Problem statement

Users are restrained from attempting to input the OTP code in the MFA instance after some failures. They input the OTP 10 times and then get this message:

Steps to reproduce

  1. Enable the One-time password factor (Authenticator) or Phone Message (SMS) factor in MFA
  2. Set the policy to Always
  3. Login
  4. Enter the wrong OTP code 10 times

Solution

What you observed is the expected behavior as of the current design. Users can fail 10 times until the message Too many failed codes, Wait for some minutes before retrying. is displayed. This means the users should wait at least 6 minutes to retry before reaching the 10th attempt.

When you exceed your messaging limit, you’ll need to wait at least an hour after your request for your first message before requesting another. You will receive an additional attempt after the passage of each additional hour.

Reference

1 Like