OTP Attempts Limit

Each user is allowed up to 5 attempts per OTP challenge session, providing five chances to enter the OTP code correctly within a session.

Expiration Behavior for OTP

When a user initiates an OTP challenge, a timer begins, setting the initial expiration time to 10 minutes from the start (denoted as T). Each valid attempt resets the 10-minute countdown from the time of the most recent attempt, continuously giving the user a 10-minute window from their last valid try.

Resend OTP

When a user resends the OTP, the expiration timer resets based on the timing of their last attempt. For example, if the resend occurs at T+5 minutes, the new expiration extends to T+15 minutes. As with valid OTP attempts, each resend action continues to extend the session duration, provided the user remains within the maximum attempts and notification limits.

Challenges Limit per Login ID (Notification Limit)

A single login ID can initiate a maximum of 100 OTP challenges within a 5-minute window. This includes all OTP notifications, such as initial requests and resend requests.

Magic-link tokens have a fixed lifetime of 10 minutes. Once the 10-minute window has elapsed, the link expires, and the user must request a new Magic-link if they still wish to log in.