ChristopherB.67768 (Customer) asked a question.
When a user is LOCKED_OUT or in RECOVERY, are they able to authenticate with a different factor other than a password? For example, if a user has a webauthn factor and they attempt to login via password and get locked out due to too many failed attempts, can they still login via webauthn?
The behavior we are seeing from the sdk indicates they cannot login and need to bring their account back into ACTIVE status before they can login, regardless of the factor used. The same goes for RECOVERY status. It seems that user's who are PASSWORD_EXPIRED can login via a different factor, but not LOCKED_OUT or RECOVERY.
Here is the behavior we see:
LOCKED_OUT: cannot login via password or passkey/webauthn
RECOVERY: cannot login via password or passkey/webauthn
PASSWORD_EXPIRED: cannot login via password, but CAN login via passkey/webauthn
This indicates to me that the LOCKED_OUT and RECOVERY statuses mean the account is in a bad state and needs to be fixed before being able to login. The PASSWORD_EXPIRED status means the factor is in a bad state and users can login via another factor.
I cannot find this information anywhere in the documentation and would like Okta's stance on this before making any changes on our side. Can you confirm that what is stated here is Okta's stance on these statuses and a user's ability to login? Or is there any scenario where a user who is LOCKED_OUT or in RECOVERY are able to authenticate?
Hi @ChristopherB.67768 (Customer) , Thank you for reaching out to the Okta Community!
I can confirm that the behavior you described is expected and your findings are correct.
In the case of LOCKED_OUT, the status occurs when a user exceeds the maximum number of failed sign-in attempts, as defined in the login policy. It is a security measure that locks down the entire account to prevent brute-force attacks. No authentication is possible until the lockout duration expires (if auto-unlock is configured), self-service unlock is leveraged (if configured) or an administrator manually unlocks the account.
In the case of RECOVERY, the status indicates that a password reset or account recovery process has been initiated. For security reasons, the account is placed in a temporary state where authentication is not permitted. The user must complete the recovery process to reset their password and bring the account back to an ACTIVE state before they can log in.
The PASSWORD_EXPIRED status applies to the authenticator itself, so if your authentication policies are configured to allow alternatives, the use will be able to log in.
If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you.
Hope my answer helps!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Collect them all. Learn a new skill and earn a new Okta Learning badge.
Just released: More Okta Community badges just added