When Block Suspicious Password Attempts from Unknown Devices is enabled, users who exceed the number of sign-in attempts with an unknown device will have their unknown device locked out of Okta. The goal of this knowledge article is to present how to use the Allow Unknown Devices feature to unlock the unknown device.
Searching the System log using the following query will display all affected users under the Actor column:
outcome.result eq "FAILURE" and displayMessage eq "Account Locked from New Devices - Max sign-in attempts exceeded."
The following error is displayed in Directory > People for the user:
Sign-in attempts for all unknown devices have been blocked
Due to suspicious sign-in attempts from an unrecognized device, Okta has blocked sign-in attempts for all unknown devices for this user (known devices are still accessible). If the user is attempting to sign in from a new device, Allow Unknown Devices.
The user is locked out due to the following option that is configured in the Password policy: Lock out user after <NUMBER> unsuccessful attempts.
If Block Suspicious Password Attempts from Unknown Devices is enabled, suspicious sign-in attempts from unknown devices are blocked. Users who sign in to Okta with devices they've used before are not locked out if another device that is unknown to Okta causes a lockout.
- Navigate to the Admin console.
- Navigate to Directory > People > User.
- Click Allow Unknown Devices.
- The unlock process can be accomplished either by an Admin or by the target user, who can trigger the Self-Service Unlock process if the password policy allows it.
Related References
- Block Suspicious Password Attempts from Unknown Devices
- Block suspicious sign-in attempts from unknown device
- Allow unknown devices to sign in
