This article addresses an error that occurs after multiple failed login attempts using a One-Time Password (OTP) for Multifactor Authentication (MFA). After several incorrect attempts, the following error is displayed:

Too many failed codes. Wait for some minutes before retrying.

Tenant logs may also show the error: Too Many Failures (gd_otp_rate_limit_exceed).

• Multifactor Authentication (MFA)
• One Time Password (OTP)
• SMS code
• Failed Login
• MFA OTP Limit

This error is triggered as an expected security measure. The system imposes a rate limit that restricts a user to ten incorrect OTP submission attempts. After the tenth failed attempt, the account is temporarily locked to prevent brute-force attacks, and the error message is displayed.

This is expected behavior and the lockout is temporary. To resolve the issue, the user must wait for the lockout period to expire.

Additional notes:

1. After ten failed attempts, the user must wait for a minimum of six minutes before trying to sign in again.

2. If the messaging limit is exceeded, the required wait time increases to one hour, after which the user can make another ten attempts. Refer to the Rate Limit Policy for more information.

3. An administrator can customize the error message text. Navigate to Prompts and modify the text for mfa-otp-enrollment-qr, key: too-many-failures. Refer to documentation on how to Customize Universal Login Text Elements for more details.