diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 3cf91fd81..4d43e7f3b 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -205,7 +205,7 @@ Devise.setup do |config|
   # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
   # :both  = Enables both strategies
   # :none  = No unlock strategy. You should handle unlocking by yourself.
-  config.unlock_strategy = :none
+  config.unlock_strategy = :time
 
   # Number of authentication tries before locking an account if lock_strategy
   # is failed attempts.
diff --git a/spec/features/auth/user_lockout_spec.rb b/spec/features/auth/user_lockout_spec.rb
index 35d9925a4..871dee26a 100644
--- a/spec/features/auth/user_lockout_spec.rb
+++ b/spec/features/auth/user_lockout_spec.rb
@@ -3,12 +3,14 @@ require "rails_helper"
 RSpec.describe "User Lockout" do
   let(:user) { FactoryBot.create(:user) }
   let(:admin) { FactoryBot.create(:admin_user) }
-  let(:attempt_number) { Devise.maximum_attempts }
+  let(:max_login_attempts) { Devise.maximum_attempts }
+  let(:max_2fa_attempts) { Devise.max_login_attempts }
+  let(:notify_client) { instance_double(Notifications::Client) }
 
   context "when login-in with the wrong user password up to a maximum number of attempts" do
     before do
       visit("/users/sign-in")
-      attempt_number.times do
+      max_login_attempts.times do
         fill_in("user[email]", with: user.email)
         fill_in("user[password]", with: "wrong_password")
         click_button("Sign in")
@@ -28,7 +30,7 @@ RSpec.describe "User Lockout" do
   context "when login-in with the wrong admin password up to a maximum number of attempts" do
     before do
       visit("/admin/sign-in")
-      attempt_number.times do
+      max_login_attempts.times do
         fill_in("admin_user[email]", with: admin.email)
         fill_in("admin_user[password]", with: "wrong_password")
         click_button("Sign in")
@@ -44,4 +46,30 @@ RSpec.describe "User Lockout" do
       expect(page).to have_content("Your account is locked.")
     end
   end
+
+  context "when login-in with the right admin password and incorrect 2FA token up to a maximum number of attempts" do
+    before do
+      allow(Sms).to receive(:notify_client).and_return(notify_client)
+      allow(notify_client).to receive(:send_sms).and_return(true)
+
+      visit("/admin/sign-in")
+      fill_in("admin_user[email]", with: admin.email)
+      fill_in("admin_user[password]", with: admin.password)
+      click_button("Sign in")
+
+      max_2fa_attempts.times do
+        fill_in("code", with: "random")
+        click_button("Submit")
+      end
+    end
+
+    it "locks the admin account" do
+      visit("/admin/sign-in")
+      fill_in("admin_user[email]", with: admin.email)
+      fill_in("admin_user[password]", with: admin.password)
+      click_button("Sign in")
+      expect(page).to have_http_status(:unprocessable_entity)
+      expect(page).to have_content(I18n.t("devise.two_factor_authentication.account_locked"))
+    end
+  end
 end