MFA Limits for OTP - Login Fails with Error "Too many failed codes. Wait for some minutes before retrying"

Last Updated: Sep 16, 2024

Overview

Users are restrained from attempting to input more than 10 incorrect OTP codes in the MFA instance. If they input more than 10 OTP, then they will get this message:

Too many failed codes. Wait for some minutes before retrying.

1

Logs and app logs show the attempts, and it could trigger the Too Many Failures (gd_otp_rate_limit_exceed) error message and code.
2

Applies To

  • Multifactor Authentication (MFA)
  • One Time Password (OTP)
  • SMS code
  • Failed Login
  • MFA OPT Limit

Solution

This is the expected behavior of the current design. Users can fail 10 times until the message Too many failed codes. Wait for some minutes before retrying. is displayed. This means the users should wait at least 6 minutes to retry before reaching the 10th attempt. See Rate Limit Policy.

When the messaging limit is exceeded, the required wait time is 1 hour after the first message before requesting another. An additional attempt after the passage of each additional hour will be granted.

The messaging of this error can be changed by using text with Prompts using “mfa-otp-enrollment-qr” > “too-many-failures”. Please see Customize Universal Login Text Elements for more details.

1 Like