Version Affected: All
When sending a request to the OTP validation endpoint (/api/v1/otp/validate) the Multi-Factor Throttling limit seems to be ignored, particularly if the default of 5 attempts in 30 minutes has been changed in the admin console.
Yet when testing the the Multi-Factor Throttling limit via the usual realm workflow, instead of the API, the limit is imposed as expected.
The OTP validation throttling is decoupled from the OTP request throttling and has it's own separate throttling settings which are not exposed in the admin console UI, unlike the OTP request throttling which is.
By default the OTP validation throttle is set to 5 attempts in 30 minutes if not set in the web.config.
The OTP validation throttle setting can be changed in the web.config using these 2 appSettings:
<add key="MultiFactorOtpValidateThrottleCount" value="5" />
<add key="MultiFactorOtpValidateThrottleInterval" value="30" />
If not already present they can be added to the end of the appSettings section in the web.config after decrypting it first e.g.:
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.