<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D5KZ00001WZV1a0AHOkta Classic EngineAdministrationAnswered2025-11-28T18:02:44.000Z2025-11-03T16:52:54.000Z2025-11-28T18:02:44.000Z

AdamH.05926 (Customer) asked a question.

November 3, 2025 at 4:52 PM
How to configure what users see on account lock

We are setting up a user group that we want to deny self account recovery and self password resets. We created a password policy that denies them from resetting password. We also for testing set the group up to lock after 1 bad attempt.

 

During testing, when we login with a bad password we are immediately taken to "Verify it's you with a security method." page with an option for Email, Okta Verify, or Phone.

 

We've set the users to be unable to use the methods, only a password is allowed for verification. What section in Okta should we be looking at to change this behavior? We were hoping that it would just take the user to a screen showing that their account was locked and to contact an administrator.

  • 2 answers
  • 111 views

  • paul.stiniguta1.508386743840768E12 (Okta, Inc.)

    Hello @AdamH.05926 (Customer)​ Thank you for posting on our Community page!

     

    It depends on which policy is being triggered. I would recommend to review the System log and see if which policy is being triggered and adjust it accordingly. Please see our doc on the policy's below:

    https://help.okta.com/oie/en-us/content/topics/identity-engine-upgrade/okta-sign-on-policy-changes.htm

     

    Thank you for reaching out to our Community and have a great day!

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • BrandonB.06003 (Customer)

    This is set up in your account recovery settings in the authenticator settings for password. if I recall correctly okta displays all possible options that are configured in a recovery policy and are not tied to each user. This is because at that point in the flow okta doesn't know who the user is so it relies on the user already knowing what they can use. you can remove other authenticators from the policy and it should remove them from that screen (IE: we dont want phone to be an option so remove phone from all recovery policies)

    Expand Post
This question is closed.
Loading
How to configure what users see on account lock