Azure B2C MFA methods code resend and lockout behavior (custom policy)

142 Views Asked by At

We are offering 3 methods to the user on our custom login user journey: Phone, SMS and Email.

My understanding is each method has it's own way of working and I could not find the default behavior for resend limits or lockout.

Phone Call: Looks like you can't cancel/retry phone call. If you pick up and enter a wrong key or if you do not pick up it just hangs and redirects back to app with an error code?

SMS: My dev tenant only let's me send 1 SMS and if I enter it incorrectly it just gives me a message with SMS limit reached. Not sure if this is due to me being on the free b2c plan and not sure where we configure how many failed attempts there can be for each session? And how to set it?

Email: Looks like the built in email verification tech profile let's 10 incorrect codes before it gives an error. Is this configurable?

My requirement is to limit failed attempts to 5 on each of these and on 6th retry give an error message and send an API call to backend to log and lock the account for 24 hours.

How can I achieve limiting retries and making sure account is locked after a certain number of failed retries?

1

There are 1 best solutions below

0
On

This is possible using custom policies and third party components to send your mail/sms/phone call such as Twilio and SendGrid

Email Yes, you can achieve this using Using Display Controls and the OTP technical profile setting NumRetryAttempts and a third party email provider such as Sendgrid. Microsoft Docs here

Phone Call / SMS There are not many settings that can be adjusted for the Phonefactor technical profiles. You can, however use the same model as email and use Twilio APIs to make the phone call or send the SMS.