Does an account get locked if too many invalid MFA tokens are provided? If so, what causes this and what is the procedure to unlock the account?
What is the lifetime of a refresh token?
Is there a quota on how often we can request a new access token? If so, is this quota at a user level or organisation level?
Yes. The account gets locked for a period of 5 minutes if the user enters 5 incorrect MFA tokens consecutively. ( After 3 tries, the user is alerted that too many retires will lock his account), So the account is unlocked in 5 minutes. It is time bound. There is no process of unlocking the user.
Refresh token validity not tied to Multi factor Authentication, it depends on the client. ( edgeui and edgecli clients which are used to access the MGMT UI and mgmt API calls have a refresh token validity of 84600 seconds).
There is no quota/limit on how often someone can request for an access token.