I’m implementing and testing passwordless authentication on our app using the passwordless API, and originally was able to log in without any trouble. However for the last few days have been unable to log in from my own phone. Each time I try to verify a new code I get a response with HTTP status 403 and the error message: “You’ve reached the maximum number of attempts. Please try to login again.”
I have tried this on two different tenants and the result is the same (both are currently on the free tier). I have also tried deleting the user account for that phone number and it has not changed the behaviour.
If I use a different phone number, I am able to log in with passwordless successfully. As I am currently testing I have been logging in more than I would usually, but I don’t believe I have come close to hitting the rate limits, and have never received a response with HTTP status 429 (as described here). However the fact that this only occurs with one phone number, and across multiple tenants, makes me wonder if my number has been blacklisted somewhere.
So I have a few questions:
- Is this behaviour expected? If so, where is it documented?
- If my phone number has been blacklisted, what can I do to resolve the situation?
- How can I prevent this situation happening to a user once the passwordless login is live?
Thanks in advance.