Problem Statement
We set the brute-force protection Login Threshold to 4 attempts. However, the users are not allowed to enter the code more than 3 times.
Cause
The Passwordless verify code endpoint has it’s own default limit:
module.exports = {
buckets: {
***
'wrong passwordless totp': { size: 3 }
}
};
Solution
The limit you reached is specifically applies to Passwordless (Email or SMS) connections. It will not allow the user to enter the incorrect code more than three times. When the limit is reached, users will need to request a new code.