One-time passwords (OTP) are widely used to protect user accounts. They are commonly seen in login verification, password reset, and sensitive actions. Even if OTP is present, many applications still fail to apply proper rate limiting. This makes OTP-based authentication vulnerable to abuse, especially when combined with other issues like email enumeration.
Introduction
OTP is often treated as a strong security control. Because of this, teams sometimes assume that OTP alone is enough to protect accounts.
In reality, OTP security depends heavily on how it is implemented. Without proper limits and controls, OTP endpoints can be abused in multiple ways.
What Rate Limiting Means in OTP Flows
Rate limiting is used to control how often an action can be performed. In OTP-based authentication, rate limiting should apply to:
- OTP request attempts
- OTP verification attempts
- Requests per account
- Requests per IP
- Requests per device or session
If these limits are missing or weak, attackers can abuse the OTP flow.
Common OTP Rate Limiting Mistakes
No Limit on OTP Requests - Some applications allow unlimited OTP requests. This allows attackers to:
- Spam OTP emails or SMS
- Trigger OTP generation repeatedly
- Abuse backend resources
In some cases, this can also lead to OTP brute forcing or service abuse.
No Limit on OTP Verification Attempts - This is one of the most serious issues. If an attacker can submit OTP values without limit:
- Short OTPs (4–6 digits) can be brute forced
- Automation becomes easy
- Account takeover becomes possible
OTP without verification limits is not real protection.
Rate Limiting Based Only on IP - IP-based limits are weak on their own. Attackers can bypass them using:
- Proxies
- VPNs
- Cloud servers
Rate limiting should not rely only on IP address.
Long OTP Validity - Some OTPs remain valid for several minutes or longer. Long validity gives attackers:
- More time to brute force
- More chances to retry
- Higher success rate
How OTP Issues Combine with Email Enumeration
On its own, OTP abuse is already dangerous. When combined with email enumeration, the impact increases.
Email Enumeration
↓
List of valid email accounts
↓
Unlimited OTP requests
↓
Unlimited OTP verification attempts
↓
Account takeover
|
Email enumeration helps attackers focus only on real accounts. OTP weaknesses then allow full compromise.
Why These Issues Are Often Missed
OTP issues are often missed because:
- OTP is assumed to be secure by default
- Testing focuses only on success cases
- Error handling is checked, but limits are not
- Backend behavior is not fully reviewed
Many teams fix UI messages but forget backend controls.
Security Impact
Misconfigured OTP rate limiting can lead to:
- Account takeover
- Targeted attacks
- OTP brute forcing
- Abuse of email or SMS services
- Increased infrastructure cost
When combined with enumeration, the risk becomes high.
Practical Recommendations
To secure OTP-based authentication:
- Apply strict limits on OTP requests
- Apply strict limits on OTP verification attempts
- Use per-account and per-session limits
- Reduce OTP validity time
- Lock or slow down after repeated failures
OTP should be treated as part of a full authentication system, not a standalone feature.
Conclusion
OTP-based authentication is only as strong as its implementation. Without proper rate limiting, OTP endpoints can be abused even if the OTP logic itself works correctly.