Azure AD B2C How long is the wait time if a user has tried multiple failed attempts for verification code

Question

We have a website leveraging B2C authentication. There are some users, who while trying 'forgot password' enter invalid code multiple times, starts getting “Too many attempts, Please try again later”. How long a user should wait if he receives this message? And if we can control the wait time somewhere in B2C configuration settings?

We are using the out of box user flows/policies and everything works as expected.

Answer 1

The otp verification lockout duration can be controlled with the CodeExpirationInSeconds value, as described here:

Time in seconds until code expiration. Minimum: 60; Maximum: 1200; Default: 600. Every time a code is provided (same code using ReuseSameCode, or a new code), the code expiration is extended. This time is also used to set retry timeout (once max attempts are reached, user is locked out from attempting to obtain new codes until this time expires)

https://learn.microsoft.com/en-us/azure/active-directory-b2c/one-time-password-technical-profile?source=recommendations#metadata

Answer 2

As per the documentation:

"Azure AD B2C uses a sophisticated strategy to lock accounts. The accounts are locked based on the IP of the request and the passwords entered. The duration of the lockout also increases based on the likelihood that it's an attack. After a password is tried 10 times unsuccessfully (the default attempt threshold), a one-minute lockout occurs. The next time a login is unsuccessful after the account is unlocked (that is, after the account has been automatically unlocked by the service once the lockout period expires), another one-minute lockout occurs and continues for each unsuccessful login. Entering the same, or similar password repeatedly doesn't count as multiple unsuccessful logins".

You can set the lockout threshold and duration.