We're building integration with Twilio's Authy phone verification API at the moment.
The docs don't specifically say what happens in the case that malicious user sends lots of guesses to the verification/check endpoint while trying to verify the sms code.
I assume Authy must have something in place to prevent this, but it's not explicitly stated and I'm wondering if we need to build in some protection (e.g. guess-counter limit) in our own API integration code.
Twilio developer evangelist here.
There is a limit built into Authy for phone verification. There is a maximum of 5 attempts per verification code, to avoid brute forcing the code.
I'm trying to find out why this isn't documented, but in the meantime you should not have to build out protections yourself.