k86ig (k86ig) asked a question.
A newbie question here.
We have Okta MFA with our Active Directory Domain. Our users are getting locked out of AD. I would like to understand how the account lockout process happens with Okta MFA and AD.
My understanding is that currently:
- The user is presented with the Okta web logon, they enter their password.
- If they get the password wrong they are prompted that they are "unable to sign in" and they are not prompted for the 2nd factor.
- If they get the password right they are then prompted for the 2nd factor.
- If they get the password incorrect multiple times their account is locked out by Active Directory (and they never get prompted for the 2nd factor)
What I would like to know/understand is:
Is it possible to configure Okta to prompt the user for their account and password, and then check for MFA, and only then advise "access denied" or "access permitted"? And if it was multiple attempts that were access denied lock out the account.
The reason I'm asking this with the current method of asking for the username/password combo first is that it actually helps the a potential hacker guess the password. If Okta prompted for both factors and only then advised "access denied" or "access permitted" the hacker would not know for what reason (password wrong, or 2nd factor incorrect)
Thanks, Simon
Hello @k86ig (k86ig),
Thank you for posting.
In this case, what you are asking is not possible because in order to prompt the MFA request the Username and Password have to be correct.
Regards,
Natalia
Okta Inc.