The presence check limit is checked using SMS OTP count (default limit: 5). This is problematic, because the user can resend a SMS OTP, and then the number of presence check attempts does not correspond to the SMS OTP count. This manifests in the data that some users have up to 8 failed SMS OTPs.
We should consider implementing a different strategy, e.g. using a separate table which stores all presence check attempts and their results, including the SMS OTP result because it belongs to the same SCA verification step.
The presence check limit is checked using SMS OTP count (default limit: 5). This is problematic, because the user can resend a SMS OTP, and then the number of presence check attempts does not correspond to the SMS OTP count. This manifests in the data that some users have up to 8 failed SMS OTPs.
We should consider implementing a different strategy, e.g. using a separate table which stores all presence check attempts and their results, including the SMS OTP result because it belongs to the same SCA verification step.