Does an account get locked if too many invalid MFA tokens are provided? If so, what causes this and what is the procedure to unlock the account?
- What is the lifetime of a refresh token?
- Is there a quota on how often we can request a new access token? If so, is this quota at a user level or organisation level?
1. Yes. The account gets locked for a period of 5 minutes if the user enters 5 incorrect MFA tokens consecutively. ( After 3 tries, the user is alerted that too many retires will lock his account), So the account is unlocked in 5 minutes. It is time bound. There is no process of unlocking the user.
2. Refresh token validity not tied to Multi factor Authentication, it depends on the client. ( edgeui and edgecli clients which are used to access the MGMT UI and mgmt API calls have a refresh token validity of 84600 seconds).
3. There is no quota/limit on how often someone can request for an access token.