This article clarifies whether it is possible to configure a user lockout policy based on a specific number of Multi-Factor Authentication (MFA) failure attempts.

• Okta Identity Engine (OIE)
• Multi-Factor Authentication (MFA)

Okta does not provide a configurable setting in the Admin Console to define the number of allowed Multi-Factor Authentication (MFA) failure attempts before a lockout occurs.

In Okta Identity Engine (OIE), the system automatically locks a user’s authenticator for five minutes after five consecutive incorrect MFA codes. This action results in a temporary lockout and a 429 Too Many Requests error.

For details on configuring password lockout settings, refer to How to Configure the Number of Failed Login Attempts Before User Lockout.