
MikeP.85680 (Customer) asked a question.
We have User Enumeration Prevention (UEP) enabled in our org, and it works as expected for the login and password reset flows. However, we've noticed a behavioral inconsistency in the self-service account unlock flow that appears to undermine UEP entirely.
Observed behavior
When a user submits the account unlock form:
1. Account exists: the form immediately pre-selects "Email" with no authenticator list shown.
2. Account does not exist: the form displays a list of available authenticators (email is the only option in our case, but it is presented as a selectable list item).
Expected behavior
The response should be identical regardless of whether the account exists - either always show the authenticator selection list, or always pre-select email. No observable difference should be present between the two states. This is exactly how it works for the Forgot Password scenario btw.
Questions
- Is there a configuration workaround to enforce consistent behavior for the unlock flow?
- Is this a known issue or an acknowledged gap in UEP coverage?

Hello @MikeP.85680 (Customer) Thank you for posting on our Community page!
You are completely right—this observable difference defeats the entire purpose of User Enumeration Prevention (UEP) for that specific flow.
Here is the breakdown of why this is happening and how you can force consistency.
Is this an acknowledged gap?
Yes, this is a known architectural quirk in Okta Identity Engine (OIE). The inconsistency is the result of Okta's UX optimization logic clashing with its security obfuscation logic:
Furthermore, Okta’s official documentation explicitly notes limitations surrounding UEP in recovery flows. Most notably, UEP is completely unsupported in recovery scenarios if your org is using the Okta Account Management Policy (the newer policy framework for managing self-service recovery and authenticator enrollment).
You can also check our doc here :
https://support.okta.com/help/s/article/user-enumeration-prevention-influencing-okta-sspr?language=en_US
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.
Hi Paul,
Thank you for the detailed explanation - the architectural breakdown is helpful.
I do want to clarify one point though: we are not using the Okta Account Management Policy. We are on the "legacy" configuration, so the limitation you mentioned regarding UEP being unsupported under that newer policy framework does not apply to our setup, and we are already aware of it.
The core issue we are seeing is this: with the exact same legacy configuration, the behavior is inconsistent across flows:
Since the only variable here is the flow (Password Reset vs. Account Unlock), and both are governed by the same legacy configuration and policy settings, this suggests a flow-specific gap in the legacy UEP implementation for Account Unlock.
Could you confirm whether this is a known gap specifically in the legacy (non-Account Management Policy) Account Unlock flow, and whether there is a workaround or a fix planned?
Hello @MikeP.85680 (Customer) Even though Password Reset and Account Unlock are governed by the exact same legacy policy settings, they use different underlying evaluation sequences in OIE:
Additionally, you can open a case with Support for an additional deep dive into this to see if maybe something else is missed.
Thank you for reaching out to our Community and have a great day!
--
Help others in the community by liking or hitting Select as Best if this response helped you.