Feature request for Supabase Auth: Automatically invalidate OTP after multiple failed login attempts

[maximilian-hammerl]

Currently, Supabase Auth allows users to request OTPs for authentication, but these OTPs remain valid even after multiple failed login attempts. This can be exploited by attackers trying to gain unauthorized access through brute force guessing.

Proposed feature:

Introduce a security mechanism that automatically invalidates an OTP if a user has attempted to log in with that OTP unsuccessfully X times. Once the limit is reached, the OTP should be invalidated, requiring the user to request a new one.

Use case:

• Prevent brute-force OTP guessing attacks.
• Improve security without adding friction for legitimate users.
• Align with best practices in authentication security.

Suggested implementation:

• Track OTP verification attempts per user.
• If the number of failed attempts reaches the configured threshold, invalidate the OTP immediately.

Impact:

This feature would enhance Supabase Auth’s security against unauthorized login attempts, reducing the risk of successful OTP brute-force attacks.