Users receive a Forgot Password Denied email when performing a Self-Service Password reset using email. System Logs indicate an Invalid User State error during password reset.

• Self-Service Password Recovery using email
• Okta Mastered Users

The prior password's age is less than the Minimum Password Age setting, or the user has been locked out, and the password policy does not display lockout failures.

Minimum password age

1. Navigate to the Okta Admin console and go to Security > Authenticators > Password field - Actions > Edit.
2. Select the Password Policy that applies to the user in question.
3. Validate the Minimum Password Age defined under Password age, and verify if the user has reset their password within this time frame using the system logs.
4. Select the Edit button on the Password Policy.
5. Update the Minimum Password Age, or uncheck this requirement depending on the use case, on the Password Policy, so users in the org can successfully reset their passwords.
6. Click Save.
    
   

User is locked out

• If users are locked out, they can wait for the auto-unlock feature or have an admin unlock their account.

Prevention

An admin can minimize tickets raised by displaying lockout failures in the password policy

1. Navigate to the Okta Admin console and go to Security > Authentication > Password Policy.
2. Select the password policy that applies to the specified user.
3. Select the Edit button on the Password Policy.
4. Update the Lock out settings to automatically unlock, if not already enabled, and Show lock out failures.
5. Click Save.