Seconds to the same range of mobile numbers or prefixes. Implement rate limits by user IP address or device ID. You can use a CDN like Cloudflare for this or implement modules on your web server like Nginx and Apache for basic rate limiting. Rate limits may not prevent fraud but they will significantly reduce the potential damage. Detect bots and refresh the user experience to prevent them Libraries such as botd or CAPTCHA Completely Automated.
Public Turing test to tell Computers and Humans Apart can help detect and the Email Marketing List user experience such as making sure users confirm their email address before signing up for FA introduce some friction something that slows down or causes more user engagement for legitimate users but can discourage automated scripts and bots. Implementing exponential delays between successive verification requests Similar to rate.
Limits introducing exponential delays between requests to the same phone number is one way to prevent messages from being sent quickly. Monitor onetime passcode OTP conversion rates and create alerts Internally monitor the verification conversion rate for the purposes of this article let's call it OTP i.e. number of OTPs verified by end users / number of OTPs sent to end users. WWKW = number of OTPs verified by end users/number of OTPs sent to.