<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
User Sees Error "This factor is suspended for your account due to too many failed attempts" but the User Account Shows as "Active"
Nov 11, 2025
Okta Classic Engine
Devices and Mobility
Overview

This article explains why a user's account remains active, even when the following error is received:

 

This factor is suspended for your account due to too many failed attempts.

 

This behavior occurs when login attempts are marked as invalid credentials in the system log.

Applies To
  • Okta Classic Engine
  • User Account
  • Multi-Factor Authentication (MFA)
Cause
The Classic tenant has Factor Sequencing enabled, and an application policy is configured to allow a login for a password + another MFA. Because of the MFA chain, the password, in this case, is seen as an MFA option. This is why the account does not get locked out, but the factor is suspended because, in this case, the password is acting as an MFA factor.
Solution

This is expected behavior in this situation. There is no way to avoid this in Okta Classic because the password is not an MFA factor (only Okta Identity Engine).

 

If the password factor attempt fails, both counters increment. The Multi-Factor Authentication (MFA)/one-time passcode (OTP) counter increments because a factor attempt failed. The factor suspends counter increments because the password factor attempt failed. This makes for an inconsistent experience. If the factor’s account-lock threshold is lower than 5 (MFA/OTP threshold), the factor is suspended before the account can lock. However, if the threshold is higher than 5, the account locks before the factor can be suspended.


NOTE: The password shim also locks the account when it suspends the factor. The account always locks, but if it locks due to the old MFA/OTP count, the factor does not suspend.

Recommended content

Still looking for help?
Loading
User Sees Error "This factor is suspended for your account due to too many failed attempts" but the User Account Shows as "Active"