diff --git a/api/attestation/identity.js b/api/attestation/identity.js
index 2a2852d..f5a1731 100644
--- a/api/attestation/identity.js
+++ b/api/attestation/identity.js
@@ -100,9 +100,39 @@ exports.update = function (req, res, next) {
   function(lib) {
     var profileAttestation  = lib.get('profileAttestation');
     var identityAttestation = lib.get('identityAttestation'); 
-      
+    var time = new Date().getTime();
+    
+    if (identityAttestation) {
+      while(identityAttestation.meta.attempts.length) {
+        var attempted = identityAttestation.meta.attempts[0];
+
+        if (time - attempted > (24 * 60 * 60 * 1000)) {
+          identityAttestation.meta.attempts.shift();
+        } else {
+          break;
+        }
+      }
+        
+      //only allow 4 attempts per 24 hours
+      if (identityAttestation.meta.attempts.length > 3) {
+        reporter.log("Max attempts exceeded:", identityAttestation.identity_id);
+        response.json({result:'error', message:'Max attempts exceeded. Try again in 24 hours.'}).status(400).pipe(res); 
+        lib.terminate();
+        return;
+      } 
+    }
+    
     //score the answers to the questions  
     if (req.body.answers && identityAttestation) {
+
+
+      //dont allow it to pass if it has been more than 3 minutes
+      if (time - identityAttestation.created > (3 * 60 * 1000)) {
+        response.json({result:'error', message:'time limit exceeded'}).status(400).pipe(res); 
+        lib.terminate();
+        return;
+      } 
+      
       var data = {
         verification_id : profileAttestation.meta.verification_id,
         question_set_id : identityAttestation.meta.questions_id,
@@ -162,23 +192,25 @@ exports.update = function (req, res, next) {
     };
     
     var id       = existing ? existing.id : utils.generate_uuid();
-    var attempts = existing && existing.meta.attempts ? existing.meta.attempts : 0;
+    var attempts = existing && existing.meta.attempts ? existing.meta.attempts : [];
     var attestation;
     
     attestation = {
       id          : id,
       identity_id : identity_id,
-      issuer      : payload.iss,
+      issuer      : config.issuer,
       type        : 'identity',
       status      : payload.identity_verified ? 'verified' : 'unverified',
       payload     : payload,
       created : new Date().getTime(),
       meta : {
         questions_id : blockscore.id,
-        attempts     : ++attempts
       }
     };
     
+    attempts.push(attestation.created);
+    attestation.meta.attempts = attempts;
+    
     exports.store.insert_or_update_where({set:attestation,table:'attestations',where:{key:'id',value:id}}, function(db_resp) {
       if (db_resp.error) {
         callback(db_resp.error);
@@ -198,6 +230,11 @@ exports.update = function (req, res, next) {
           blinded     : data.blinded
         };
         
+        if (attestation.status !== 'verified' && attestation.meta.attempts.length > 3) {
+          reporter.log("Max attempts reached:", attestation.identity_id);
+          result.maxAttempts = true;
+        }
+        
         callback(null, result);
       }                  
     });    
diff --git a/test/test-attestation.js b/test/test-attestation.js
index d4a47cd..a116f7f 100644
--- a/test/test-attestation.js
+++ b/test/test-attestation.js
@@ -10,6 +10,8 @@ var assert = require('chai').assert;
 var api = require('../api');
 var nock = require('nock');
 
+console.log(config);
+
 api.setStore(store);
 blobIdentity.setStore(store);
 
@@ -267,6 +269,51 @@ describe('Attestation:', function() {
       });
     });
     
+    it('should return an error if the time the user takes more than 3 minutes to answer the questions', function (done) {
+      store.getAttestations({identity_id:testutils.person.identity_id, type:'identity'}, function (resp) {
+        var created = new Date().getTime() - (5 * 60 * 1000);
+        var options = {
+          type    : 'identity',
+          answers : []
+        };
+          
+        store.update_where({set:{created:created}, table:'attestations',where:{key:'id',value:resp[0].id}}, function(db_resp) {
+          request.post({url:'http://localhost:5150/v1/attestation/identity/update?signature_blob_id='+testutils.person.id,json:options}, function(err,resp,body) { 
+            assert.ifError(err);  
+            assert.strictEqual(body.result,  'error'); 
+            done();
+          });   
+        });
+      })
+    });
+    
+    it('should return an error if the user attempts to answer questions more than 4 times in 24 hours', function (done) {
+      store.getAttestations({identity_id:testutils.person.identity_id, type:'identity'}, function (resp) {
+        var created = new Date().getTime();
+        var meta    = resp[0].meta;
+        var id      = resp[0].id;
+        var options = {
+          type    : 'identity',
+          answers : []
+        };
+        
+        meta.attempts = [created-86000000, created-8000000, created-80000, created];
+          
+        store.update_where({set:{meta:meta, created:created}, table:'attestations',where:{key:'id',value:id}}, function(db_resp) {
+          request.post({url:'http://localhost:5150/v1/attestation/identity/update?signature_blob_id='+testutils.person.id,json:options}, function(err,resp,body) { 
+            assert.ifError(err);  
+            assert.strictEqual(body.result,  'error'); 
+            
+            //reset so the next test passes
+            meta.attempts = [];
+            store.update_where({set:{meta:meta}, table:'attestations',where:{key:'id',value:id}}, function(db_resp) {
+              done();
+            });
+          });   
+        });
+      })
+    });    
+    
     it('should return a verified identity attestation given correctly answered questions', function(done) {
       var options = {
         type : 'identity',