I have reached out internally about the generate OTP expiry/configuration and verify OTP counter for verify failed/configuration. I will update you when I hear back on those.
Regarding the TTL/expiry time for the link in the password reset email users receive, the default is 60seconds. This is configurable. Please see here: Change Users' Passwords. The link is valid for one time only.
Thanks,
Mary Beth