diff --git a/changelog/31421.txt b/changelog/31421.txt
new file mode 100644
index 0000000000..d328bca62a
--- /dev/null
+++ b/changelog/31421.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+identity/mfa: revert cache entry change from #31217 and document cache entry values
+```
diff --git a/vault/external_tests/identity/login_mfa_totp_test.go b/vault/external_tests/identity/login_mfa_totp_test.go
index 24ebf353b7..48a9172564 100644
--- a/vault/external_tests/identity/login_mfa_totp_test.go
+++ b/vault/external_tests/identity/login_mfa_totp_test.go
@@ -329,7 +329,7 @@ func TestLoginMfaGenerateTOTPTestAuditIncluded(t *testing.T) {
 	// let's make sure the configID is not blocked for other users
 	doTwoPhaseLogin(t, userClient2, enginePath2, methodID, testuser2)
 
-	// let's see if user1 is able to login after 3 + 3*2 = 9 seconds
+	// let's see if user1 is able to login after 3 * (2+1) = 9 seconds
 	time.Sleep(9 * time.Second)
 	doTwoPhaseLogin(t, userClient1, enginePath1, methodID, testuser1)
 
diff --git a/vault/login_mfa.go b/vault/login_mfa.go
index bf4a5d3241..1b6777ad31 100644
--- a/vault/login_mfa.go
+++ b/vault/login_mfa.go
@@ -2343,9 +2343,10 @@ func (c *Core) validateTOTP(ctx context.Context, mfaFactors *MFAFactor, entityMe
 		return fmt.Errorf("failed to validate TOTP passcode")
 	}
 
-	// The duration in which a passcode is stored in cache to enforce
-	// rate limit on failed totp passcode validation
-	passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period) * int64(2*totpSecret.Skew))
+	// The duration in which a rateLimitID (configID_entityID) is used to limit the number of TOTP validation attempts.
+	// The passcode will be added to the usedCodes cache later, with a different TTL, with the skew and period.
+	passcodeTTL := time.Duration(int64(time.Second) * int64(totpSecret.Period))
+
 	// Enforcing rate limit per MethodID per EntityID
 	rateLimitID := fmt.Sprintf("%s_%s", configID, entityID)