We are implementing a passwordless authentication flow without MFA or security questions for both sign-in and sign-up using the Okta Identity Engine, the Okta SDK for Angular (@okta/okta-angular v6.2.0), and Auth JS (@okta/okta-auth-js v7.4.2).
For verifying the email code, we use oktaAuth.idx.proceed({ code }), which internally calls the /idp/idx/challenge/answer API. During the code verification process, if the user enters an incorrect code five times, an error is returned on the sixth attempt with an HTTP status code 429 Too Many Requests. At this point, the user is temporarily locked and cannot proceed for 5 minutes.
However, if the user attempts to resend the code during this lock period, the lock is revoked, and a new code is successfully sent. We have implemented the resend code functionality using oktaAuth.idx.proceed({ resend: true }), which calls the /idp/idx/challenge/resend API.
Could you confirm if this behavior is expected?
Please find the screenshot for the above-mentioned case.
Resend API call succeeded with status 200:
