Hi
We are exploring the magic link/otp login option for our system and have a question about rate limits add account blocking.
When we try an incorrect OTP fast enough to violate the rate limit (5 attempts in 5 min if we understood it correctly) the following attempt all fail with a 429 - too many requests. This is exactly what we expected and proper feedback is given to the user. According to this documentation the authenticator should also be blocked for 5 min.
This is not what we have observed. We managed to trigger the authentication again, got a new e-mail and successfully logged in immediately after receiving the 429 code.
We are using okta-auth-js library and starting the authentication via: this.oktaAuth.idx.authenticate({username, authenticator: AuthenticatorKey.OKTA_EMAIL, methodType: 'email'});. If the authenticator is in fact blocked I would expect the transaction to fail, but it’s not the case.
Are we missing something? Is there any configuration needed? If this is the expected behaviour?