One-Time Password (OTP) Behavior

Salesforce sends one-time passwords (OTPs) to verify identity for multiple use cases, such as passwordless login, device activation, multi-factor authentication (MFA) for Experience Cloud sites, and more. Learn about expiration time, limits, and generation behavior for OTPs for different use cases.

OTP Use Case	Expiration Time	Limits	OTP Generation For Each New Request
Used with the `UserManagement.initRegisterVerificationMethod` Apex method. Sent via SMS to verify identity when a user registers a phone number. For Experience Cloud site users only.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated only if the previous OTP has expired.
Sent via SMS to verify identity when a user changes their phone number in their personal information settings.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated only if the previous OTP has expired.
Sent via SMS to verify identity when a user adds their phone number if prompted after login. For internal users only.	15 Minutes	1 failed attempt 10 new OTP requests per hour	Generated if the previous OTP has expired or if the user entered the previous OTP incorrectly.
Used with the `UserManagement.initRegisterVerificationMethod` Apex method. Sent via email to verify identity when a user registers an email address. For Experience Cloud site users only.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated if the previous OTP has expired or if the user entered the previous OTP incorrectly.
Sent via email to verify identity when a user changes their email address in their personal information settings.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated if the previous OTP has expired or if the user entered the previous OTP incorrectly
Verify identity via email or SMS for device activation.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated if the previous OTP has expired or if the user entered the previous OTP incorrectly
Complete multi-factor authentication (MFA) for Experience Cloud site users by using email or SMS. These MFA methods aren't supported for internal users.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated if the previous OTP has expired or if the user entered the previous OTP incorrectly
Passwordless login and passwordless registration via email or SMS. For Experience Cloud sites only.	15 Minutes	3 failed attempts 10 new OTP requests per hour	Generated with each new request
Headless self-registration for off-platform apps, using a phone number.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated if the previous OTP has expired or if the user entered the previous OTP incorrectly
Headless self-registration for off-platform apps, using an email address.	24 Hours	3 failed attempts 5 new OTP requests per hour	Generated if the previous OTP has expired or if the user entered the previous OTP incorrectly
Headless passwordless login for off-platform apps, using either an email address or phone number.	15 Minutes	3 failed attempts 5 new OTP requests per hour	Generated with each new request

Did this article solve your issue?

Let us know so we can improve!

One-Time Password (OTP) Behavior

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List

Product Area

Feature Impact

Edition

Experience

One-Time Password (OTP) Behavior