limit the sms token attempts

[wael002]

Dear all
how to use the variable $max_attempts to limit the number of sending SMS token to be for example 3, and block the user from sending more token within predefined period (1 hour for example)

[davidcoutadeur]

Hello,

You can limit the number of attempts using a sms token with this parameter:

$sms_max_attempts_token = 3;

See the corresponding documentation: https://self-service-password.readthedocs.io/en/stable/config_sms.html#token

However, I don't think you can prevent the user for asking new tokens after having reached the failed attempts counter.

It can be an interesting feature, but I am not sure if it could be a way for an attacker to deny the reset by sms service for a given user.