Code submissions limit

A code is sent to a user controlled address (for example an email address) in some flows such as verification, recovery, registration, etc. When the correct code is then submitted by the user, the flow advances. If the wrong code is submitted too many times, the flow fails.

It is important to find a balance between allowing a user to submit a wrong code multiple times, due for example to typos, and not too many times, to prevent an attacker from brute-forcing the code.

To that end, the numeric limit can be configured. The default is 5. To prevent misconfiguration, this number is required to be between 1 and 255. We recommend a rather small number for security reasons, probably under 10. Organizations with strict security policies might set this number to 2 or 3.

Ory Console

To change the limit, go to Ory Console → Authentication -> General -> Maximum number of code submissions, enter the desired number, and click the Save button.

Ory CLI

1. Download the Ory Identities config from your project and save it to a file:

   ## List all available workspaces
   ory list workspaces
   
   ## List all available projects
   ory list projects --workspace <workspace-id>
   
   ## Get config
   ory get identity-config --project <project-id> --workspace <workspace-id> --format yaml > identity-config.yaml

2. Update the configuration value to the desired value:

   config.yml

   config:
       selfservice:
           methods:
               code:
                   max_submissions: 3

3. Update the Ory Identities configuration using the file you worked with:

   ory update identity-config --project <project-id> --workspace <workspace-id> --file identity-config.yaml