Hi Team,
We are using email as the sole MFA factor, currently after 10 wrong OTP attempts we get the “too many failed codes” error message, is it possible to customize the the number of wrong attempts to input OTP, instead of 10 we want to make it to 5, is it possible?
Also is it possible to unblock the users after a certain period of time after the brute force attack protection blocks the account after unsuccessful password attempts?
Regards,
Chaitra k.
Can anyone has any idea if the above can be achieved open to your suggestions?
Hi @chaitrk
Welcome back to the Auth0 Community!
Thank you for posting your question, the 10 wrong OTP attempts limit is unforunatelly not configurabel, but you can edit the prompt from “too many filed codes” to something more suited your design. You can read more about that here → MFA Limits for OTP - Login Fails with Error "Too many failed codes. Wait for some minutes before retrying"
To address your 2nd question, the user is unblocked after 30 days and it’s not possible to change this limit. The workaround to this would be to utilising the log stream to detect when a brute force block had been applied (a log type of “limit_wc” is seen - https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes), and then this could in turn, after the desired timeframe had elapsed, trigger a call to the Management API to remove the unblock for the impacted user ID
Thanks
Dawid
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.