When a user's account is locked (for example, due to too many incorrect password attempts), and they subsequently attempt to log in with the correct password, the Okta Sign-In Widget displays a generic error message such as Unable to sign in or Invalid username/password. The widget does not explicitly state that the account is locked, which can confuse the end-user.

Unable to sign in

Invalid username/password

• Authentication
• Sign-In Widget
• Multi-Factor Authentication (MFA)

This behavior occurs when the Show lockout failures option is disabled in the Password Policy rule that applies to the user. For security purposes, to prevent potential account enumeration or harvesting, Okta's default behavior is to return a generic authentication failure message. The more specific The account is locked error is only returned by the API and displayed in the widget if this setting is explicitly enabled.

Enabling the Show lockout failures setting in the relevant Okta Password Policy will ensure users see a specific "account locked" message.

1. Log in to the Okta Admin Console.
2. Navigate to Security > Authentication.
3. Click on the Password policy tab.
4. Identify the policy that applies to the affected users (for example, the "Default Policy") and click on its name.
5. Click the Edit button.
6. Scroll down to the Lock out section.
7. Check the box for Show lockout failures.
8. Click Update Policy to save the changes.

After this setting is enabled, users attempting to sign in to a locked account will see a message indicating their account is locked, providing a clearer user experience.