I’ve seen this mistake in multiple products.
User clicks “Resend OTP”… System generates a new code every time. Sounds correct, right?
But here’s what actually happens:
- SMS gets delayed
- User clicks resend
- New OTP is generated
- Old OTP arrives first
- User enters it and get “Invalid OTP” error
From the user’s perspective, your system is broken.
The fix is simple : For a few retries, send the same OTP. So whichever message arrives first, the code still works.
I implemented this once, and it instantly reduced login friction.
Sometimes the problem isn’t the feature. It’s the timing.
Have you implemented the OTP correctly in your app ?