Rate limits for MFA factors

Problem statement

What are the rate limits for failed attempts with the following MFA factors?

  • SMS
  • OTP
  • Push Notifications
  • Email

Solution

  • SMS: Auth0 limits a single user to send up to 10 SMS or voice messages per hour. (The burst rate is 10, but only 1 voice message per hour will be sent for new requests.)
  • OTP: The rate limit for OTP is also 10 attempts per hour.
  • For Push Notifications, the rate limit is: burst rate starts at 5, and we add 5 more per minute (e.g. 1 every 12 seconds).
  • For Email MFA, the rate limit is: burst rate starts at 20, and we add 1 more per minute.