Passwordless verification code rate limit

Problem Statement

We set the brute-force protection Login Threshold to 4 attempts. However, the users are not allowed to enter the code more than 3 times.


The Passwordless verify code endpoint has it’s own default limit:

module.exports = {
  buckets: {
    'wrong passwordless totp': { size: 3 }


The limit you reached is specifically applies to Passwordless (Email or SMS) connections. It will not allow the user to enter the incorrect code more than three times. When the limit is reached, users will need to request a new code.