<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Failed Login Attempts Allowed Before an Account Is Locked Out and How to Unlock It
Apr 6, 2026
Administration
Okta Classic Engine
Okta Identity Engine
Overview

This article discusses situations in which users locked themselves out of their accounts by entering the password incorrectly or failing to complete Multi-Factor Authentication (MFA).

This article presents information regarding:

  • The number of failed login attempts allowed when a password is entered incorrectly.
  • The number of failed login attempts allowed when MFA is not satisfied.
  • How to unlock a blocked user.
Applies To
  • Multi-Factor Authentication (MFA)
  • Password Policy
  • Lockout
  • Okta Identity Engine (OIE)
Solution

Number of failed login attempts allowed when a password is incorrectly used

When a user accesses their Okta account and is prompted for a password, the configured password policy will be enforced. The user will have as many attempts to enter the correct password as the Password Policy allows. 

If no password policy has been configured yet, follow the steps below to set one up. By default, it is set for 10 unsuccessful attempts. 

  1. Log in to the Okta Admin Console.
  2. Navigate to Security > Authenticators > Password > Actions > Edit
  3. Select the password policy to be modified and click the Edit button.
  4. Locate the Lockout settings within the Password Settings section.
  5. Configure the following fields as necessary: 
    • Lockout user after <number> unsuccessful attempts
    • Account is automatically unlocked after <number> minutes

Lock Out

NOTE: Password Update Failures: Events such as "User update password for Okta FAILURE: Password requirements were not met" indicate the new password was rejected. These do not contribute to the lockout threshold.

 

Number of failed login attempts allowed when MFA is not satisfied

There are some differences in behavior when handling MFA/Authenticator failures in Okta Classic vs. OIE, and further differences between the GUI and API calls.

  • In the Okta Classic Engine, users are locked out after five consecutive failed MFA attempts within a five-minute period. This value is hardcoded and cannot be changed, and applies to SMS, Voice, and OTP (Custom, Okta Verify, etc.) The only way to reset the MFA lockout counter is to successfully log in with MFA.
  • In the Okta Identity Engine (OIE), if a user enters an incorrect code from SMS, Voice, OTP, including the Okta Verify mobile application, five times consecutively, the system will trigger rate limits, resulting in a 429 Too Many Requests HTTP status code. To prevent potential security breaches, the user's authenticator will then be temporarily locked for 5 minutes, during which time they cannot use it. 

NOTE: There are exceptions to these behaviors:

  1. Using SMS programmatically via the API will not be subject to the above limitations and will not trigger account lockout after 5 unsuccessful attempts.
  2. Okta Verify Push is an exception that prevents rate limits or lockouts from occurring due to failed or denied authentication attempts.

Example below: 

Authentication failures

 

Unlocking an account

To unlock an account that has been locked due to exceeding the password entry limitation or other reasons, follow these steps:

  1. In the Admin Console, go to Directory > People.
  2. In the left menu, select More Actions.
  3. Click the user name in the Person & Username column to unlock it.
  4. Click the More Actions drop-down menu, and then click Unlock Account.

If the account was blocked due to failed MFA, in addition to unlocking, resetting the authenticators is also advisable. To accomplish that, follow the steps below: 

  1. In the Admin Console, go to Directory > People, then select the user who needs the MFA reset.
  2. In the left menu, select the More Actions drop-down menu and then click on Reset Authenticators.

Once a user has been locked out after too many failed password attempts, the failed login counter will reset only when the user successfully logs in with the same account after the account is unlocked. After an account has been unlocked, there is no time limit for when the user can try again to log in, change their password, and/or reset the MFA.

NOTE: Okta Verify Push is exempt from rate limits after five unsuccessful attempts.

 

 

Related References

Recommended content

Still looking for help?
Loading
Failed Login Attempts Allowed Before an Account Is Locked Out and How to Unlock It