The goal of this knowledge article is to clarify why end users are being locked out when entering an incorrect password on a new device based on the password policy that has a lockout option set. The user account is in the Active status, and Admin cannot perform an account unlock, despite the user being told they are locked out. Reviewing the system logs, the user does not appear to be locked.
- Block Suspicious Password Attempts from Unknown Devices
- Unknown Devices
- Locked out
- Password Policy
- Okta Identity Engine (OIE)
When Block Suspicious Password Attempts from Unknown Devices is Enabled, Okta can detect whether sign-in attempts are coming from a known or unknown device. A known device is one that has been previously used to sign in to Okta. An unknown device has never been used to sign in to Okta. When a user logs in from an unknown device (computer, browser, IP), Okta will allow them to try passwords for as many attempts as is configured in the password policy. If the user fails to log in the maximum number of times allowed, they will be locked out on that new device. However, if Okta determines that the failed sign-in attempts are coming from an unknown device, Okta locks out new sign-in attempts from unknown devices but allows sign-ins from known devices. This helps prevent malicious parties from disrupting Okta users' access to their accounts and enhances account protection.
The user needs to log in from a known device, or Admin can perform one of the following:
- Allow Unknown Devices for the user.
- Disable Block Suspicious Password Attempts from Unknown Devices.
- Enable a Password Policy that allows users to perform self-service account unlock.
