The Universal Login Experience, especially during the Quality Assurance phase or load testing, sometimes displays inconsistent error behaviors after multiple failed One-Time Password (OTP) verifications, specifically for Multi-Factor Authentication (MFA) via email or Short Message Service (SMS). This knowledge article addresses the conditions under which these different behaviors are triggered.

The following error messages may be displayed on the page:

Too many failed codes. Wait for some minutes before retrying.

In another situation, the end user is redirected to the error page. By default, the error message will state the following: 

invalid_request: The rate limit for endpoint /u/mfa-sms-challenge was reached. Please retry after a few minutes.

• Auth0
• Multi-Factor Authentication (MFA)
• Short Message Service (SMS)
• One-Time Password (OTP)
• Phone Factor
• Rate Limit

• The "Too many failed codes" error indicates that the rate limit for OTP (6 numeric digits) failures has been triggered.
• The "invalid_request" error indicates that the rate limit for the specific page/prompt has been triggered.

These errors can be addressed in the following way:

• Too many failed codes. Wait for some minutes before retrying.
  • This error is specific to the end-user's verification attempts. The user must wait for the timeout period to expire (typically 6+ minutes) before attempting to sign in or request a new code.

• invalid_request: The rate limit for endpoint /u/mfa-sms-challenge was reached. Please retry after a few minutes.
  • If encountered during load testing, reduce the login attempt rate.
  • If this occurs unexpectedly in a production environment, it may indicate unusually high traffic (for example, many end users in the same facility sharing the same IP address and accessing the same app at once).
  • The end-user should wait several minutes before retrying. If the issue persists, contact the system administrator for further investigation.