Prevent OTP brute forcing


We are exploring the magic link/otp login option for our system and have a question about rate limits add account blocking.

When we try an incorrect OTP fast enough to violate the rate limit (5 attempts in 5 min if we understood it correctly) the following attempt all fail with a 429 - too many requests. This is exactly what we expected and proper feedback is given to the user. According to this documentation the authenticator should also be blocked for 5 min.

This is not what we have observed. We managed to trigger the authentication again, got a new e-mail and successfully logged in immediately after receiving the 429 code.

We are using okta-auth-js library and starting the authentication via: this.oktaAuth.idx.authenticate({username, authenticator: AuthenticatorKey.OKTA_EMAIL, methodType: 'email'});. If the authenticator is in fact blocked I would expect the transaction to fail, but it’s not the case.

Are we missing something? Is there any configuration needed? If this is the expected behaviour?

This topic was automatically closed after 30 days. New replies are no longer allowed.