|
|
|
|
|
|
by kevincox
1368 days ago
|
|
|
Yeah, it should basically be a timeout. If within a few minutes of entering the correct password a correct second factor is not provided then it should notify the user. I think you can probably skip notifying on a single failed OTP code to avoid spamming the user when they make a typo (or are a bit too slow for TOTP) but if you were very paranoid you could also send in this situation. |
|
|