OTP Flood Control in Drupal 2FA

The OTP Flood Control feature is designed to prevent abuse and excessive OTP (One-Time Password) resend attempts by users.

It helps protect your system from:

  • OTP spamming
  • Brute-force attempts
  • Server load due to repeated OTP requests

How OTP Flood Control Works
This feature is divided into two parts:

  1. Resend OTP Timer (Flood Control)
  2. Block User After Multiple Resend Attempts
    Both can be configured together to enforce stricter security.

Configuration

1. Resend OTP Timer (Flood Control)

This setting controls how frequently a user can request a new OTP.
Setup

  • Enter time in minutes

Example

  • If set to 1 minute:
    • A 60-second timer will be displayed
    • The Resend OTP button will be disabled until the timer expires
      This prevents users from requesting OTPs repeatedly in a short time.

2. Block User After Multiple Resend Attempts

This setting restricts users after exceeding allowed OTP resend attempts.
Setup

  • Enter OTP limit: Maximum number of resend attempts allowed
  • Enter block duration (in minutes): Time for which the user will be blocked after exceeding the limit
    Important Validation Rule
    If both features are enabled, the following condition must be satisfied:
  • Resend Timer Duration < User Block Duration

Example

  • Resend Timer: 1 minute
  • Block Duration: 5 minutes
    Invalid Case
  • Resend Timer: 5 minutes
  • Block Duration: 5 minutes or less
    The system will show an error message if this condition is not met.

How It Works

  • Users must wait before requesting a new OTP
  • Repeated attempts are tracked
  • If the limit is exceeded → user is temporarily blocked
  • After block duration → user can try again