Passwordless verification code rate limit

lihua.zhang · September 26, 2022, 7:59pm

Problem Statement

We set the brute-force protection Login Threshold to 4 attempts. However, the users are not allowed to enter the code more than 3 times.

Cause

The Passwordless verify code endpoint has it’s own default limit:

module.exports = {
  buckets: {
    ***
    'wrong passwordless totp': { size: 3 }
  }
};

Solution

The limit you reached is specifically applies to Passwordless (Email or SMS) connections. It will not allow the user to enter the incorrect code more than three times. When the limit is reached, users will need to request a new code.

Topic		Replies	Views
Email OTP code submission through proxy, "You've reached the maximum number of attempts. Please try to login again" Help auth0	7	5239	May 6, 2024
MFA Brute force protection Knowledge Articles	1	1108	May 29, 2023
Rate limit 429 after 7 bad attempts with email passwordless Help login-experience , new-universal-login-experience	1	19	November 12, 2024
Getting rate limitted for /passwordless/start quickly Knowledge Articles rate-limit , passwordless	1	809	September 19, 2023
Meaning of limit_sul Error Knowledge Articles	1	803	November 3, 2023

Passwordless verification code rate limit

Problem Statement

Cause

Solution

Related Topics