Need to know how much time must pass for the invalid credentials count to reset for a password policy

Loading

Skip to Navigation Skip to Main Content

Search

Search

Select Language

0D54z0000AJPGFwCQPOkta Classic EngineMulti-Factor AuthenticationAnswered2025-01-22T16:05:45.000Z2025-01-21T18:50:08.000Z2025-01-22T16:05:45.000Z

OktaNameO.79377 (Customer) asked a question.

January 21, 2025 at 6:50 PM

Need to know how much time must pass for the invalid credentials count to reset for a password policy

Hello.

Say I have a password policy defined of 5 bad password attempts in order for an Okta user to be locked out. 2 questions:

If the user has 4 bad password attempts on Monday, and they put another bad password attempt on Wednesday, will this cause a lockout for the user, even though 24 hours or more has elapsed since the 4th attempt?
In which scenarios exactly is the count of bad password attempts reset to 0? When the user successfully authenticates, etc?

Multi-Factor Authentication

Top Rated Answers

MatthewH.10249 (State of Iowa)
a year ago
I've not found any documentation that says for sure but this old community post suggests there is no limit and thus it would lock on the 5th time regardless of the length of time that has passed. https://support.okta.com/help/s/question/0D54z00007dvp9rCAA/time-interval-between-two-failed-login-attempts?language=en_US That being said, because that is so old I would suggest you do some tests to see for yourself as I found the following Knowledge Base post that mentions that for MFA it has a time period that if it goes past it will start over. "A cumulative limit of five unsuccessful authentication attempts is enforced over a rolling five-minute period.". https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US#:~:text=By%20default%2C%20it%20is%20set,and%20click%20the%20Edit%20button.
A successful authentication starts the count over and so does a time limit if you set one in the "Account is automatically unlocked after X minutes field" found by going to "Security > Authenticators > Password > Actions > Edit".
Expand Post
Selected as Best

All Answers

MatthewH.10249 (State of Iowa)
a year ago
I've not found any documentation that says for sure but this old community post suggests there is no limit and thus it would lock on the 5th time regardless of the length of time that has passed. https://support.okta.com/help/s/question/0D54z00007dvp9rCAA/time-interval-between-two-failed-login-attempts?language=en_US That being said, because that is so old I would suggest you do some tests to see for yourself as I found the following Knowledge Base post that mentions that for MFA it has a time period that if it goes past it will start over. "A cumulative limit of five unsuccessful authentication attempts is enforced over a rolling five-minute period.". https://support.okta.com/help/s/article/How-to-Configure-the-Number-of-Failed-Login-Attempts-Before-User-Lockout?language=en_US#:~:text=By%20default%2C%20it%20is%20set,and%20click%20the%20Edit%20button.
A successful authentication starts the count over and so does a time limit if you set one in the "Account is automatically unlocked after X minutes field" found by going to "Security > Authenticators > Password > Actions > Edit".
Expand Post
Selected as Best

This question is closed.

Recommended content

Forum

okta user attempts AD password reset "Forgot password?" then failure: INVALID_CREDENTIALS

Forum

unsuccessful login attempt lockout count in authentication->active directory policy

Forum

Will Okta lock the user if they have 5 invalid MFA Attempts

Forum

Suspend a user when passed a defined time

Loading

Need to know how much time must pass for the invalid credentials count to reset for a password policy