diff --git a/src/config/schema.rs b/src/config/schema.rs
index f38298b34..50e8d2e93 100644
--- a/src/config/schema.rs
+++ b/src/config/schema.rs
@@ -5412,6 +5412,10 @@ fn default_otp_gated_actions() -> Vec<String> {
     ]
 }
 
+fn default_otp_challenge_max_attempts() -> u32 {
+    3
+}
+
 impl Default for OtpConfig {
     fn default() -> Self {
         Self {
@@ -7418,6 +7422,9 @@ impl Config {
                 "security.otp.cache_valid_secs must be greater than or equal to security.otp.token_ttl_secs"
             );
         }
+        if self.security.otp.challenge_max_attempts == 0 {
+            anyhow::bail!("security.otp.challenge_max_attempts must be greater than 0");
+        }
         for (i, action) in self.security.otp.gated_actions.iter().enumerate() {
             let normalized = action.trim();
             if normalized.is_empty() {