Okta evaluates multiple failed Multi-Factor Authentication (MFA) attempts differently depending on the platform version and the challenge method. On the Okta Classic Engine, users experience an account lockout after five failed attempts. On Okta Identity Engine (OIE), five consecutive failed attempts trigger a temporary authenticator lockout and generate the following HTTP status code:

429 Too Many Requests

A successful MFA challenge response resets the lockout counter.

• Okta Identity Engine (OIE)
• Okta Classic Engine
• Multi-Factor Authentication (MFA)

How does Okta evaluate multiple OTP Authentication attempts?

Review the platform-specific lockout behaviors and API challenge differences to understand how Okta handles multiple failed authentication attempts.

• Okta Classic Engine locks out the user after five consecutive failed MFA attempts. Okta hardcodes this value, preventing administrators from changing it. The user must successfully log in with MFA to reset the lockout counter.
• Okta Identity Engine (OIE) triggers rate limits when a user enters an incorrect code from the Okta Verify mobile application five consecutive times. Okta generates a 429 Too Many Requests HTTP status code and temporarily locks the user's authenticator for five minutes to prevent potential security breaches. The user cannot use the authenticator during this time.
• Okta handles API call challenges differently from User Interface challenges. When an API call challenges the user, Okta allows five attempts before locking the user out of the Okta account. Okta hardcodes these five failed attempts, preventing modification. A successful MFA challenge response resets the counter.