This article will address the behavior of multiple login attempts for Okta Classic Engine and Okta Identity Engine (OIE). 

• Multi-Factor Authentication (MFA)

Depending on the Okta platform and the method of the Multi-Factor Authentication challenge, the behavior will differ regarding limitation or lockout for multiple failed attempts.

Depending on the Okta platform, the user's Multi-Factor Authentication attempts will be evaluated differently:

• On the Okta Classic Engine, the user will be locked out after five failed MFA attempts in a row. This value is hardcoded and cannot be changed. The only way to reset the MFA lockout counter is to successfully log in with MFA.
• On Okta Identity Engine (OIE), if a user enters an incorrect code from the Okta Verify mobile application five times consecutively, the system will trigger rate limits, resulting in a 429 Too Many Requests HTTP status code. To prevent potential security breaches, the user's authenticator will then be temporarily locked for 5 minutes, during which time they cannot use it.

The behavior differs when the user is challenged using API calls compared to the User Interface. When the user is challenged via API calls, they have 5 attempts before being locked out of their Okta account. Like in Okta Classic Engine, the 5 failed attempts are hardcoded, so it is not a value that can be changed, and the counter will reset only after a successful MFA challenge response.