Problem statement
What are the rate limits for failed attempts with the following MFA factors?
- SMS
- OTP
- Push Notifications
Solution
- SMS: Auth0 limits a single user to send up to 10 SMS or voice messages per hour. (The burst rate is 10, but only 1 voice message per hour will be sent for new requests.)
- OTP: The rate limit for OTP is also 10 attempts per hour.
- For Push Notifications, the rate limit is: burst rate starts at 5, and we add 5 more per minute (e.g. 1 every 12 seconds).
- For Email MFA, the rate limit is: burst rate starts at 20, and we add 1 more per minute.