OTP Failed Attempt Lockout Strategies
How to design lockout after repeated failed OTP entries: per-request, per-account, exponential lockout, and unlock pathways. Balance security with user-experience.
StartMessaging Team
Engineering
Lockouts protect against brute force but kill UX if too aggressive. The right design uses tiers.
Three Lockout Levels
- Per-request: 3 failed attempts → invalidate the request.
- Per-account hour: 10 failed verifications → 1-hour lockout.
- Per-account day: 30 failed verifications → 24-hour lockout + alert.
Per-Request Lockout
OTP API enforces this. After 3 wrong attempts, requestId invalidates and the user must request a new OTP.
Per-Account Lockout
Track per-user (or per-phone-hash) failures across requests. Cross-request brute force is the attack mode.
Unlock Pathways
- Time-based auto-unlock.
- Email link to unlock with secondary verification.
- Customer support manual unlock for verified KYC.
FAQ
Pair lockouts with rate-limiting for layered defence.
Related Articles
Best practices for OTP time windows, max verification attempts, lockout strategies, resend cooldowns, and the UX tradeoffs developers need to consider.
Learn proven rate limiting strategies for OTP APIs: per-phone, per-IP, and sliding window approaches to prevent SMS pumping and brute force attacks.
Learn what SMS pumping and OTP fraud are, how artificial inflation attacks work, detection signals, prevention techniques, and how to protect your SMS budget.
Ready to Send OTPs?
Integrate StartMessaging in 5 minutes. No DLT registration required.