The pin is the MFA.

Is it 1000k or 10k (99999/10 guesses)?

I can't give full details of what is within accounts without potential exposure of the company. So I called a local bank and asked what I needed to set up an account. All the information required was part of a potential breach.

Is there a rate limit where protecting information with 5 digits is ok?

I would say 1m, rather than 10k, as the value rolls every 10 attempts, the true odds are slightly less than 1:1m, but only because every 9th attempt is 1:(1m-9) and 8th is 1:(1m-8), this is a minute difference.

Rate limits and account lockouts create accessibility and availability issues, I’m not aware of any real world case studies where they have been abused, my guess is demographics are important (a student is more likely to do it to a school rather than a random on the street doing it to a finance company). Though, if usernames are possible to enumerate, you should still consider the risk of someone doing it at scale as a dos.

What is / is not okay is probably largely defined by any security frameworks that you’re required to adhere to - in Australian Gov there is the Information security manual (google ISM ACSC). It states that password complexity goes up if you do not have MFA, and that without it credentials should be 14+ characters long.

Given your assertion that a breach would be possible, I would strongly suggest that your current methodology is dangerous. If you can enumerate usernames doubly so. Are you able to script a proof of concept brute force? Tools like hydra do this, but I prefer python3/requests.

Sorry my numbers were off by 10x, divide all numbers by 10, so 1m > 100k, etc.