You may encounter a common situation related to a user who locked themselves out of the account by either failing to introduce the password correctly or to satisfy the required MFA.
This article presents information regarding:
- the number of failed login attempts allowed when the password is wrongly introduced;
- the number of failed login attempts allowed when MFA is not satisfied;
- how to unlock a blocked user.
- Multi-factor Authentication
- Password Policy
- Lockout
- Okta Identity Engine (OIE)
- Number of failed login attempts allowed when a password is wrongly introduced
When one user is accessing their Okta account and is prompted for the password, the password policy configured will be hit. The user will have as many attempts available to introduce the right password as the Password Policy allows.
If there is no password policy yet configured, the below steps can be followed to accomplish that. By default, it is set for 10 unsuccessful attempts.
- Log in to the Okta Admin dashboard.
- Navigate to Security > Authenticators > Password > Actions > Edit.
- Select the password policy to be modified and click the Edit button.
- Locate the Lock out settings within the Password Settings section.
- Configure the Lock out user after X unsuccessful attempts, and the Account is automatically unlocked after X minutes fields as necessary
- Number of failed login attempts allowed when MFA is not satisfied
For failed MFA, Okta enforces a rate limit on unsuccessful authentication attempts from authenticators to safeguard sensitive corporate resources from unauthorized access. A cumulative limit of five unsuccessful authentication attempts is enforced over a rolling five-minute period. If unsuccessful authentications exceed the rate limit, authentication isn’t allowed until the rate limit period has elapsed. A message appears on the user interface, and an entry is written to the System Log.
Example below:
- To unlock an account that has been locked due to exceeding the password entry limitation or other reasons, please follow the below steps:
- In the Admin Console, go to Directory > People
- In the left menu, select More Actions.
- Click on the user name that needs to be unlocked from the Person & Username column.
- Click More Actions, and then click Unlock Account.
If the user still doesn't know their password, reset the password or ask them to reset it if self-service password resets are enabled.
If the account was blocked due to failed MFA, apart from unlocking, a reset of the authenticators is also advisable. To accomplish that,
- In the Admin Console, go to Directory > People and select the user that needs the MFA reset;
- In the left menu, select More Actions and then click on Reset Authenticators.
Once a user has been locked out after too many failed attempts with a password, the failed login counter will only reset when the user performs a successful login with the same account after the account gets unlocked. After an account has been unlocked, there is no time limit for when the user can try again to log in, change their password, and/or reset the MFA.