This article is meant to clarify a specific security measure that was adopted: the user has a limited number of Security Question response attempts when authenticating.
- Multi-factor Authentication (MFA)
- User Lifecycle Management
- Management and Monitoring
- Security Questions
- Okta Identity Engine (OIE)
The user failed to answer the security question within 5 successive attempts.
In Okta Identity Engine (OIE), Okta accounts are automatically suspended after 5 failed attempts to answer the Security Question. Here is the sequence of events that typically triggers this auto suspension:
- A user enters the wrong passwords too many times and triggers a lockout.
- The user attempts to self-service unlock.
- The user successfully uses the first recovery method, for instance, Phone/SMS.
- The user attempts to answer the set security question and fails more than 5 times.
After this, the user account is automatically suspended.
Okta Identity Engine(OIE) Product Update on March 20th, 2023, removed the ability to perform unlimited Security Question authentication attempts. This is a security measure to mitigate bad actors' attacks, specifically to prevent dictionary attacks against the Security Question. As Security Questions can be answered by malicious social engineering, it is highly recommended to plan to move away from this authentication method.
