This article explains why previously issued Email OTP codes become invalid when a new code is requested in Auth0 Passwordless Authentication. It also provides technical clarification of the behaviour and recommendations to improve the user experience when email delivery delays occur.

In Auth0 Passwordless Authentication using Email OTP, users may occasionally experience issues where the code they enter is rejected as invalid. This commonly happens when the email is delayed, and the user requests a new OTP before the previous one arrives.

• Passwordless connection
• SMS
• Email

This behaviour is expected and by design.

Each time a user requests a new OTP:

• A new OTP code is generated.
• Any previously issued OTP codes are immediately invalidated.
• Only the most recently generated OTP remains valid.

This improves security and prevents the reuse of older code.

The recommendations are: 

1. Investigate Email Delivery Delays

Review the email logs and delivery timestamps to identify potential bottlenecks. It is also recommended to check the Email Service Provider (ESP) for any reported latency issues that might be causing codes to arrive after they have already expired.

2. Improve User Messaging

Clearly inform users that only the latest OTP is valid to prevent them from entering stale codes.

Suggested phrases:

• "Please wait a few moments before requesting a new code."
• "A new code has been sent. Please use the most recent code, as any previous codes are now invalid."

To update the error messaging for invalid codes, follow these steps in the Auth0 dashboard:

1. Navigate to the Auth0 Dashboard > Branding > Edit text and translations.
2. From the Prompt Selection, select login-passwordless.
3. Choose the specific screen (for example, login-passwordless-email-code).
4. Locate the invalid-verification-code.
5. Update the Text field with the preferred messaging from the suggested phrases above.