[caleblloyd]

Sure, but say the implementation lets you try 5 codes in that 10 minutes with a 30 minute lockout. An attacker could trigger Account Recovery, blindly try 5 six-digit codes immediately, and have a 0.0005% chance getting into your account.

They could script this to run over a long period of time targeting 1 account, or they could target many accounts at once, and would probably have success.

[vablings]

This is my biggest gripe with email auth or any kind of security code via sms/mms. I pray for the day I can fully move to a passwordless setup and break free the mess of email addresses spaghetti and phone numbers.

[conception]

It’s probably easier to just have an exception log when someone(s) have 100 bad password attempts in a day or whatever.

[tracker1]

Feel free to implement something that sends a UUID, and deal with the complaints instead.