New text message requests
I've been asked to review a system where a user can request a new login by having an access code sent to a mobile.
The business is wondering how many requests a user can have so that:
- costs paying for excessive amounts of text messages are kept to a minimum
- hacking/brute force attacks are minimised
- user experience is kept as pleasant as possible.
They have two options:
- as many requests as one likes as long as one doesn't exceed 2 per minute
- 10 requests in one day, but as frequently as one likes until the 10 requests are reached
Which is the better option? Is there another option the industry uses?