Each user is allowed up to 5 attempts per OTP challenge session, providing five chances to enter the OTP code correctly within a session.
When a user initiates an OTP challenge, a timer begins, setting the initial expiration time to 10 minutes from the start (denoted as T). Each valid attempt resets the 10-minute countdown from the time of the most recent attempt, continuously giving the user a 10-minute window from their last valid try.
When a user resends the OTP, the expiration timer resets based on the timing of their last attempt. For example, if the resend occurs at T+5 minutes, the new expiration extends to T+15 minutes. As with valid OTP attempts, each resend action continues to extend the session duration, provided the user remains within the maximum attempts and notification limits.
A single login ID can initiate a maximum of 100 OTP challenges within a 5-minute window. This includes all OTP notifications, such as initial requests and resend requests.
Magic-link tokens have a fixed lifetime of 10 minutes. Once the 10-minute window has elapsed, the link expires, and the user must request a new Magic-link if they still wish to log in.