End-users can encounter the below error while enrolling in Okta Verify:

illegal device state
 

Also, end-users can encounter the following error while authenticating with Okta FastPass:

Your device or account was invalidated for use on Okta Verify. To continue using Okta Verify on this device, re-enroll this account.
 

This article outlines why these errors occur and how to resolve them.

• Multifactor authentication (MFA)
• Okta Verify for Desktop
• Devices
• Okta Identity Engine (OIE)

Both errors have the same root cause and are encountered due to the device being in a Suspended/Deactivated state at the time of the enrollment or authentication. In the Okta Verify logs, either of the following errors can be seen:

{:octagonal_sign: “Enrollment”: {“message”: “ILLEGAL_DEVICE_STATE”, “defaultProperties”: “”, “location”: “AddAccountFlowCoordinator.swift:handleEnrollFailure(info:error:):488”}}
{:warning: “CODE”: {“message”: “CODE: 403, for request at URL: https://yourdomain.okta.com/idp/authenticators”, “defaultProperties”: “”, “location”: “ServerAPIProtocol.swift:validateResult(_:for:):257”}}
{:octagonal_sign: “API error”: {“message”: “error: serverAPIError(<OktaDeviceSDK.HTTPURLResult: 0x6000015581e0>, Optional(OktaDeviceSDK.ServerAPIErrorModel(errorCode: Optional(OktaDeviceSDK.ServerErrorCode.deviceSuspended), errorSummary: Optional(“Illegal device status, cannot perform action.“), errorLink: Optional(“E0000152”), errorId: Optional(“REDACTED”), status: nil, errorCauses: Optional([[“errorSummary”: “Invalid device status DEACTIVATED”]])))) for request at URL: https://yourdomain.okta.com/idp/authenticators”, “defaultProperties”: “”, “location”: “ServerAPIProtocol.swift:validateResult(_:for:):267"}}

{:white_check_mark: "API": {"message": "Request URL: https://yourdomain.okta.com/api/v1/authenticators?key=okta_verify&expand=methods Response Code: 403 Debug Headers: { x-okta-request-id:REDACTED} Error Response: {Error Code: E0000152, Error Id: REDACTED, Error Summary: Illegal device status, cannot perform action.}","defaultProperties": "", "location":"HttpClient.swift:logResponse(url:statusCode:headers:response:oktaRequest:):299"}}
{:warning: "CODE": {"message": "CODE: 403, for request at URL: https://yourdomain.okta.com/api/v1/authenticators?key=okta_verify&expand=methods", "defaultProperties": "", "location": "ServerAPIProtocol.swift:validateResult(_:for:):263"}}
{:octagonal_sign: "API error": {"message": "error: serverAPIError(<OktaDeviceSDK.HTTPURLResult: 0x600002b41440>, Optional(OktaDeviceSDK.ServerAPIErrorModel(errorCode: Optional(OktaDeviceSDK.ServerErrorCode.deviceSuspended), errorSummary: Optional("Illegal device status, cannot perform action."), errorLink: Optional("E0000152"), errorId: Optional("REDACTED"), status: nil, errorCauses: Optional([["errorSummary": "Your device or account was invalidated. If this is unexpected, contact your administrator for help."]])))) for request at URL: https://yourdomain.okta.com/api/v1/authenticators?key=okta_verify&expand=methods", "defaultProperties": "", "location": "ServerAPIProtocol.swift:validateResult(_:for:):273"}}

Error    [Date]    Okta Verify    8120    None    EnrollmentManager.CreateAndEnrollAccount: API error code UnknownError detected while enrolling a new account.



Warning    [Date]    Okta Verify    8130    None    "[AccountEnrollment][AuthenticatorAccountManager.EnrollAuthenticator]: Failed to enroll a deactivated device : Call to https://<domain>/idp/authenticators failed, HttpStatusCode=Forbidden, Error='E0000152: Illegal device status, cannot perform action.
[: Invalid device status DEACTIVATED]'"



Error    [Date]    Okta Verify    8120    None    [AccountEnrollment][OktaWebRequest.SendMessageAsync]: Call to https://<domain>/idp/authenticators failed with Forbidden. Request Id: [RequestID]



Warning    [Date] Okta Verify    8130    None    "[AccountEnrollment][OktaApiWebRequest.HandleErrorResponse]: Received API error: E0000152: Illegal device status, cannot perform action.

Other causes:

• An Admin sets the end user's Device status to "Suspend" or "Deactivate" via Okta Admin Console > Directory > Devices. 
• The previous owner of the device was deactivated, and the device was given to a new user/owner without being deleted from the previous owner's account.

To resolve the issue:

1. Okta recommends using the latest Okta Verify version. If the Okta Verify version is out of date, update to the latest version and try enrolling again.
2. If the Okta Verify version is up to date:
   1.  Go to the Admin Console > navigate to the Directory menu > click the Devices tab.
   2. Search for the device used by the affected end-user and ensure that it is in an "Activate" state.
      1. If not, Activate the device.
   3. Then Deactivate and delete it.
   4. Now, re-enroll the Okta Verify account.

1. In case the above does not help, only then follow these steps:
   1. Deactivate and delete the device from Okta Admin Console > Directory > Devices, as mentioned above in 2.c.
   2. Before re-enrolling, first clear the Okta Verify Cache from the mobile phone device:
      1. For example, on Android phones, go to Settings > Apps > Okta Verify > Storage > Clear Cache.
      2.    
         1. 1. DO NOT use the Clear data option, as that will delete all accounts.
   3. Now, re-enroll in Okta Verify and see if that resolves the issue.
      1. If the above does not help either, then follow these steps as a last resort:
         1. Deactivate and delete the device from the Okta Admin Console as per the above step 2.c.
         2. Delete Okta Verify  App from the mobile device. 
            1. CAUTION: Note that this will remove all existing accounts registered with Okta Verify.
         3. Reinstall Okta Verify on the Mobile device.
         4. Re-enroll in Okta Verify.