Azure AD B2C Service - Account email verification code expiration details

Question

Hello

I am able to find lockout threshold information regarding passwords however I cannot find any documentation on default Azure AD B2C service settings for passcodes sent to your email when you want to reset your password.

A user will receive an email with a passcode and we use that to verify our identity.

There are two pieces of information I am looking for

1. How long is a passcode valid for? I have received expiration messages but am not sure how much time needs to pass before it becomes expired.
2. How many attempts before you get the message you have reached the number of attempts? What is the time frame on lockout period or are you just forced to ask for a new passcode?

Thank you!

Answer 1

@Ryan Potts Thank you for reaching out to us, As I understand you are looking for information on the below queries

1. How long is a passcode valid for? I have received expiration messages but am not sure how much time needs to pass before it becomes expired.

Ans: The one-time passcodes are valid for 5 minutes during the password reset session.

B2C uses the same SSPR service that SSPR uses.

Reference: https://learn.microsoft.com/en-us/entra/identity/authentication/passwords-faq#:~:text=How%20long%20are%20the%20email%20and%20text%20message%20one%2Dtime%20passcodes%20valid%3F

2. How many attempts before you get the message you have reached the number of attempts? What is the time frame on lockout period or are you just forced to ask for a new passcode?

Ans: As per my testing, number of attempts user can try is 3.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.