When the Block Suspicious Password Attempts from Unknown Devices feature is enabled, Okta locks out unknown devices that exceed the maximum number of sign-in attempts. Administrators can unlock the device using the Allow Unknown Devices feature in the Admin Console. Searching the System Log using the following query displays all affected users under the Actor column:
outcome.result eq "FAILURE" and displayMessage eq "Account Locked from New Devices - Max sign-in attempts exceeded."
The following error displays in Directory > People for the affected user:
Sign-in attempts for all unknown devices have been blocked
Due to suspicious sign-in attempts from an unrecognized device, Okta has blocked sign-in attempts for all unknown devices for this user (known devices are still accessible). If the user is attempting to sign in from a new device, Allow Unknown Devices.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- General Security
- Password Policy
- Block Suspicious Password Attempts from Unknown Devices
- Allow unknown devices to sign in
The user experiences a lockout due to the Lock out user after <number> unsuccessful attempts option configured in the Password Policy.
If Block Suspicious Password Attempts from Unknown Devices is enabled, Okta blocks suspicious sign-in attempts from unknown devices. Users who sign in to Okta with previously used devices do not experience a lockout if another device that is unknown to Okta causes a lockout.
How can an Okta Administrator allow unknown devices for an end user?
Navigate to the user profile in the Admin Console and select the option to allow unknown devices.
- Navigate to the Okta Admin Console.
- Go to Directory > People and select the affected user.
- Choose Allow Unknown Devices.
How can an Okta end user allow unknown devices?
The user can trigger the Self-Service Unlock process if the Password Policy allows it.
