<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Clarifying if Rejecting an Okta Verify Push Notification Counts as Failed MFA
Apr 8, 2026
Multi-Factor Authentication
Overview

This article explains the cumulative limit for failed Multi-Factor Authentication (MFA) attempts and whether denying an Okta Verify push notification is counted as a failed attempt.

Applies To
  • Okta Verify
  • Push Notification
  • SMS
  • Voice call
  • Multi-Factor Authentication (MFA)
Solution

From the Failed Login Attempts Allowed Before an Account Is Locked Out and How to Unlock It documentation, the following pieces of information will help clarify authentication attempt lockouts: 

  • When a user accesses their Okta account and is prompted for a password, the configured password policy is enforced, meaning the number of failed login attempts allowed when MFA is not satisfied is separate from the limit configured in password policies. 
  • For MFA, there is a separate limit that behaves differently depending on which Okta version the user is using: Okta Identity Engine (OIE) or Okta Classic. To learn more, the document Number of failed login attempts allowed when MFA is not satisfied delves deeper into the differences between OIE and Classic. 

This MFA limit includes authentication failures via Voice Call, SMS, or an Okta Verify code. Denying an Okta Verify push notification does not count towards this cumulative limit, as it is exempt from the rate limit or lockout that occurs from failed or denied authentication attempts.

NOTE: Denying an Okta Verify push notification is recorded in the Okta System Log as a failed authentication event with the reason INVALID_CREDENTIALS.


INVALID_CREDENTIALS 

 

Also, by expanding the event, the response for PushOnlyResponseType will show: OV_RESPONSE_DENY.

system log

 

If an end-user receives Okta Verify push notifications not initiated by them, suggesting suspicious activity, the following actions are recommended:

  • The end user should contact an administrator to request a password reset.
  • Administrators can enhance security by implementing the following measures:
    • Block suspicious IP addresses.
    • Utilize ThreatInsight for monitoring and enforcing security based on threat levels.
    • Enforce the use of diverse Multi-Factor Authentication options.

 

Related References

Recommended content

Still looking for help?
Loading
Clarifying if Rejecting an Okta Verify Push Notification Counts as Failed MFA