This article clarifies the validity period of the code sent via email when a user triggers Email Multi-Factor Authentication (MFA). It also specifies the number of codes that can be requested before the system reaches rate limits.

• Multifactor Authentication (MFA)
• Email Factor
• Email Code Validity

The Email MFA codes follow the MFA transaction lifetime:

• The Email MFA code is valid for five minutes. This is not a configurable setting. Entering the code after five minutes returns an error stating that the code is invalid.

• The email can be resent from the same screen, which allows the user to try again with a new code.

• The login transaction expires after ten minutes. When the user enters a code after this period, they are redirected to the Application Login Uniform Resource Identifier (URI). If an active session still exists, the system sends the user back to the MFA page, where another email is sent, and the process restarts.

• The Email MFA limit is 20 requests per minute, with a bucket refill rate of 1 request per minute. This is not a configurable setting.