A directory-sourced user who is locked out may encounter an unexpected error during login due to an enabled early-access feature related to authentication sequences. Instead of the standard message indicating the user is unable to sign in, the system displays a specific failure notification:
Factor Service Error
- Okta Classic Engine
- Directory integrations
- User sign-on
- Locked-out accounts
- Factor Sequencing
- Passwordless Authentication
The error is caused by an Early Access feature that enables Factor Sequencing and Passwordless Authentication within the Okta Classic Engine. When this feature is active, the authentication flow for a locked-out directory user is interrupted, resulting in the service error rather than the expected sign-in failure message.
How is the Factor Service Error resolved?
The issue is resolved by identifying the active authentication rules or disabling the underlying feature if it is not required. Use the following steps to inspect the configuration:
- In the Okta Admin Console, go to Security > Authentication > Sign On.
- Identify the policy that applies to the affected user and review the associated rules.
- Select the Edit icon for the appropriate rule and navigate to the Authentication section.
NOTE:
-
- If the Factor Sequence option is visible in the UI, it may cause this error even if the option is not actively selected.
- If the Factor Sequencing feature is not in use, contact Okta Support to request that it be deactivated. Include a reference to this article in the support case.
