End-users encounter an illegal device state or an "invalidated device" error during Okta Verify enrollment or Okta FastPass authentication when the device is suspended or deactivated. Resolve this issue by updating Okta Verify, activating and deleting the device in the Okta Admin Console, clearing the application cache, or reinstalling the application.

End-users encounter the following error while enrolling in Okta Verify:

illegal device state

End-users encounter the following error while authenticating with Okta FastPass:

Your device or account was invalidated for use on Okta Verify. To continue using Okta Verify on this device, re-enroll this account.

• Multi-Factor Authentication (MFA)
• Okta Verify for Desktop
• Devices
• Okta Identity Engine (OIE)

Both errors occur because the device is suspended or deactivated at the time of enrollment or authentication. This state occurs when an administrator sets the device status to suspended or deactivated in the Okta Admin Console, or when a device is given to a new user without being deleted from the deactivated previous owner's account.

Review the Okta Verify logs for the following errors to confirm the cause.

{:octagonal_sign: “Enrollment”: {“message”: “ILLEGAL_DEVICE_STATE”, “defaultProperties”: “”, “location”: “AddAccountFlowCoordinator.swift:handleEnrollFailure(info:error:):488”}}
{:warning: “CODE”: {“message”: “CODE: 403, for request at URL: https://yourdomain.okta.com/idp/authenticators”, “defaultProperties”: “”, “location”: “ServerAPIProtocol.swift:validateResult(_:for:):257”}}
{:octagonal_sign: “API error”: {“message”: “error: serverAPIError(<OktaDeviceSDK.HTTPURLResult: 0x6000015581e0>, Optional(OktaDeviceSDK.ServerAPIErrorModel(errorCode: Optional(OktaDeviceSDK.ServerErrorCode.deviceSuspended), errorSummary: Optional(“Illegal device status, cannot perform action.“), errorLink: Optional(“E0000152”), errorId: Optional(“REDACTED”), status: nil, errorCauses: Optional([[“errorSummary”: “Invalid device status DEACTIVATED”]])))) for request at URL: https://yourdomain.okta.com/idp/authenticators”, “defaultProperties”: “”, “location”: “ServerAPIProtocol.swift:validateResult(_:for:):267"}}

{:white_check_mark: "API": {"message": "Request URL: https://yourdomain.okta.com/api/v1/authenticators?key=okta_verify&expand=methods Response Code: 403 Debug Headers: { x-okta-request-id:REDACTED} Error Response: {Error Code: E0000152, Error Id: REDACTED, Error Summary: Illegal device status, cannot perform action.}","defaultProperties": "", "location":"HttpClient.swift:logResponse(url:statusCode:headers:response:oktaRequest:):299"}}
{:warning: "CODE": {"message": "CODE: 403, for request at URL: https://yourdomain.okta.com/api/v1/authenticators?key=okta_verify&expand=methods", "defaultProperties": "", "location": "ServerAPIProtocol.swift:validateResult(_:for:):263"}}
{:octagonal_sign: "API error": {"message": "error: serverAPIError(<OktaDeviceSDK.HTTPURLResult: 0x600002b41440>, Optional(OktaDeviceSDK.ServerAPIErrorModel(errorCode: Optional(OktaDeviceSDK.ServerErrorCode.deviceSuspended), errorSummary: Optional("Illegal device status, cannot perform action."), errorLink: Optional("E0000152"), errorId: Optional("REDACTED"), status: nil, errorCauses: Optional([["errorSummary": "Your device or account was invalidated. If this is unexpected, contact your administrator for help."]])))) for request at URL: https://yourdomain.okta.com/api/v1/authenticators?key=okta_verify&expand=methods", "defaultProperties": "", "location": "ServerAPIProtocol.swift:validateResult(_:for:):273"}}

Error    [Date]    Okta Verify    8120    None    EnrollmentManager.CreateAndEnrollAccount: API error code UnknownError detected while enrolling a new account.



Warning    [Date]    Okta Verify    8130    None    "[AccountEnrollment][AuthenticatorAccountManager.EnrollAuthenticator]: Failed to enroll a deactivated device : Call to https://<domain>/idp/authenticators failed, HttpStatusCode=Forbidden, Error='E0000152: Illegal device status, cannot perform action.
[: Invalid device status DEACTIVATED]'"



Error    [Date]    Okta Verify    8120    None    [AccountEnrollment][OktaWebRequest.SendMessageAsync]: Call to https://<domain>/idp/authenticators failed with Forbidden. Request Id: [RequestID]



Warning    [Date] Okta Verify    8130    None    "[AccountEnrollment][OktaApiWebRequest.HandleErrorResponse]: Received API error: E0000152: Illegal device status, cannot perform action.

How is the illegal device state or the Your device or account was invalidated for use on Okta Verify error resolved?

Update Okta Verify to the latest version, verify the device status in the Okta Admin Console, clear the application cache, and reinstall the application to resolve the device state errors.

1. Update Okta Verify to the latest version, then attempt enrollment again.
2. If the Okta Verify version is up to date, navigate to the Okta Admin Console, go to Directory, and select Devices.
3. Search for the device used by the affected end-user and verify that the device is in an active state.
4. If the device is not active, activate the device, then attempt re-enrollment.

If the application is up to date, the device is currently active, but enrollment still fails:

1. Deactivate and delete the device.
2. Re-enroll the Okta Verify account.

If the issue persists after deactivating and deleting the device from the Admin Console:

1. Clear the Okta Verify cache from the mobile device. For example, on Android devices, navigate to Settings, select Apps, choose Okta Verify, select Storage, and choose Clear Cache.
   NOTE: Do not use the Clear data option, as that deletes all accounts.
2. Re-enroll in Okta Verify.