diff --git a/apis/record_auth_with_otp.go b/apis/record_auth_with_otp.go
index f7f1bc5b..31db084f 100644
--- a/apis/record_auth_with_otp.go
+++ b/apis/record_auth_with_otp.go
@@ -52,7 +52,7 @@ func recordAuthWithOTP(e *core.RequestEvent) error {
 	}
 
 	// since otps are usually simple digit numbers we enforce an extra rate limit rule to prevent enumerations
-	err = checkRateLimit(e, "@pb_otp_"+event.OTP.Id+event.Record.Id, core.RateLimitRule{MaxRequests: 4, Duration: 180})
+	err = checkRateLimit(e, "@pb_otp_"+event.Record.Id, core.RateLimitRule{MaxRequests: 5, Duration: 180})
 	if err != nil {
 		return e.TooManyRequestsError("Too many attempts, please try again later with a new OTP.", nil)
 	}
diff --git a/apis/record_auth_with_otp_test.go b/apis/record_auth_with_otp_test.go
index 9befdd7a..4defb014 100644
--- a/apis/record_auth_with_otp_test.go
+++ b/apis/record_auth_with_otp_test.go
@@ -387,11 +387,13 @@ func TestRecordAuthWithOTPManualRateLimiterCheck(t *testing.T) {
 	}{
 		{otpAId, "12345", 400},
 		{otpAId, "12345", 400},
-		{otpAId, "12345", 400},
-		{otpAId, "12345", 400},
-		{otpAId, "123456", 429},
 		{otpBId, "12345", 400},
-		{otpBId, "123456", 200},
+		{otpBId, "12345", 400},
+		{otpBId, "12345", 400},
+		{otpAId, "12345", 429},
+		{otpAId, "123456", 429}, // reject even if it is correct
+		{otpAId, "123456", 429},
+		{otpBId, "123456", 429},
 	}
 
 	for _, s := range scenarios {