- Only the last one-time password (or link) issued will be accepted. Once the latest one is issued, any others are invalidated. Once used, the latest one is also invalidated.
- Only three failed attempts to input the one-time password are allowed. After this, a new code will need to be requested.
- The one-time password issued will be valid (by default) for three minutes before it expires.
- If you choose to extend the amount of time it takes for your one-time password to expire, you should also extend the length of the one-time password code. Otherwise, an attacker has a larger window of time to attempt to guess a short code.