The Email One-Time Passcode (OTP) Verification is configured as per this screenshot:

This article explains how long the OTP is valid and how many failed retries are allowed.

• Email One-Time Passcode (OTP) Verification

The expiry period is 15 mins and is currently non-configurable.

This endpoint does not currently have a max retries threshold, but users are more likely to come across a rate limit on the following endpoint, which is 5 requests per minute per IP on a production tenant:

 /u/email-identifier/challenge