Allow Users to Use MFA to Unlock Their Own Accounts

We’re currently investigating options within our Okta org’s configuration to automate remediation of user lockouts, as they are our most common type of IT support request.

Unfortunately, our options are limited by the fact that our Security team is adamant that we DO NOT EVER allow users to use SMS, Security Questions, or non-work email accounts for Okta user account recovery. This seems like an arbitrary limitation to exclude MFA factors within the available options.

We want to continue automatically locking out users after 5 unsuccessful authentication attempts, but we also want to allow users to use their MFA factor (Duo, which we control) to unlock their own accounts, but NOT to reset their own passwords.

Alternatively, we would love to allow locked accounts to be automatically unlocked after X minutes, but ONLY if we can require their MFA factor immediately for the next authentication after this automatic unlock.