diff --git a/docs/risks.md b/docs/risks.md
index 9a02cdc..a1b2f12 100644
--- a/docs/risks.md
+++ b/docs/risks.md
@@ -4,7 +4,7 @@ This file tracks known gaps and risks to address in future iterations.
 
 ## Security And Auth
 - Phone normalization is KSA-focused and minimal; broaden for multi-country use.
-- OTP protections are basic; add device fingerprinting and IP throttling if needed.
+- OTP protections now include per-phone limits plus `/phone/request` IP/device window controls; thresholds still need production tuning.
 - Authentica OTP provider is implemented (SMS + WhatsApp via Authentica OTP).
 - Social login is a placeholder.
 - `USERNAME_FIELD` is now `"phone_number"`; `REQUIRED_FIELDS = []`; `create_superuser` accepts `phone_number`. Admin and `createsuperuser` work correctly for phone-only users.
@@ -16,7 +16,7 @@ This file tracks known gaps and risks to address in future iterations.
 ## Next Auth Review Points
 - DB-level guardrails for `accounts_user.phone_number` are now enforced (`NOT NULL`, `UNIQUE`, E.164 check constraint).
 - Decide user lifecycle for phone auth (create user before OTP verify vs provisional/pre-user state).
-- Expand abuse prevention beyond per-phone cooldown (IP throttling, device fingerprint, risk signals).
+- Abuse-control implementation for `/api/auth/phone/request/` is in place (IP throttling + persisted device signal); next step is monitor false positives and tune limits.
 - Define OAuth account-linking policy (phone/email conflicts, merge rules, trust source).
 - Add explicit tests for remaining phone-first invariants (verified-phone guards and any legacy-path regressions).
 
diff --git a/docs/runbooks/auth_otp_failures.md b/docs/runbooks/auth_otp_failures.md
index 0d6f7c9..fba086f 100644
--- a/docs/runbooks/auth_otp_failures.md
+++ b/docs/runbooks/auth_otp_failures.md
@@ -26,6 +26,7 @@ Guide for diagnosing and mitigating OTP send or verify failures in phone-first a
 - If provider credentials are missing or invalid, fix the environment variables and restart the API process.
 - If the provider is down, temporarily switch to `OTP_PROVIDER=console` for non-production environments and notify support.
 - If rate limits are triggered, validate `OTP_MAX_PER_WINDOW`, `OTP_WINDOW_MINUTES`, and `OTP_RESEND_COOLDOWN_SECONDS` values and confirm client behavior is not retrying aggressively.
+- For phone-login abuse spikes, also validate `PHONE_AUTH_IP_MAX_PER_WINDOW`, `PHONE_AUTH_DEVICE_MAX_PER_WINDOW`, and `PHONE_AUTH_RISK_WINDOW_MINUTES`.
 - If verification is failing, confirm server time is correct and `OTP_EXPIRY_MINUTES` is appropriate.
 
 ## Rollback / Escalation