# User Lock Out Risk Detected

Detects Duo users who are locked out but have successfully accessed other resources/systems, or users with multiple Duo accounts where only some are locked out. Duo's lock out feature can be a very powerful remediation tool when investigating potentially malicious user activity. However, locking users out of Duo can also unintentionally revert users to the access and authentication requirements of other systems, like your identity provider (IdP), allowing them to circumvent the intended security and MFA policies configured in Duo.

Additionally, locked out users attempting to regain access are more susceptible to phishing or social engineering attacks (which may have triggered the initial lock out) and may resort to less secure MFA alternatives or credential sharing, making it easier to successfully compromise a targeted account.

**Recommended Actions**

Review the policy that enabled the account(s) to successfully access resources despite being locked out in Duo, and understand how the relevant policies work across Duo and the affected system(s). Make any necessary policy configuration changes to ensure that the resource is properly protected by Duo policies and that there are no unintended loopholes, or enforce strong forms of MFA for that resource in the affected system. For users with lock out status discrepancies across multiple Duo accounts, investigate each of the user's Duo account to determine if there was any concerning behavior, then assign the appropriate status to all of the user's accounts.

**Compatibility**&#x20;

[Duo](/integrations/duo-security-integration.md)

<figure><img src="/files/ch66qYB4fLSGV5l9aArP" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.oort.io/understanding-check-failures/oort-insights/identity-threat-detection-insights/user-lock-out-risk-detected.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.