Two-factor authentication without "step-up" (i.e. both factors are checked by the "Main Authenticator" or "Meta Authenticator"):
- Every single failure increases the failure counter - independent of which authentication factor caused the failure.
- Every full success over all the steps resets the failure counter - meaning all authentication factors required must be validated successfully.
Two-factor authentication with "step-up" (i.e. first factor is checked by the configured Authenticator; second factor on demand using the step-up configuration):
- The first-factor result affects the "failed logins counter" and the threshold configured in the configured Authenticator is relevant.
- The second factor (the step-up factor) affects the "failed step-up attempts" counter and the threshold configured in the step-up configuration is relevant.