Limiting password reset requests

A recent penetration test on my app raised the following issue: The web application had no rate limiting implemented on the ‘password reset’ functionality leading to email flooding attack.

The pen tester sent a large volume of “Forgotten Password” requests to, which resulted in a large number of emails sent to the user’s (the “victim”) email address, e.g., the attacker could perform an email flooding attack against the victim’s email address.

Is there anyway to prevent this within the Okta Security, Authentication, Password configuration?