Hi @chaitrk
Welcome back to the Auth0 Community!
Thank you for posting your question, the 10 wrong OTP attempts limit is unforunatelly not configurabel, but you can edit the prompt from “too many filed codes” to something more suited your design. You can read more about that here → MFA Limits for OTP - Login Fails with Error "Too many failed codes. Wait for some minutes before retrying"
To address your 2nd question, the user is unblocked after 30 days and it’s not possible to change this limit. The workaround to this would be to utilising the log stream to detect when a brute force block had been applied (a log type of “limit_wc” is seen - https://auth0.com/docs/deploy-monitor/logs/log-event-type-codes), and then this could in turn, after the desired timeframe had elapsed, trigger a call to the Management API to remove the unblock for the impacted user ID
- https://auth0.com/docs/api/management/v2/user-blocks/delete-user-blocks-by-id
- https://auth0.com/docs/customize/log-streams
Thanks
Dawid