Unlocking a User Locked Out of Duo MFA

1  Purpose

Provide Service Desk personnel with a quick, repeatable process to immediately remove a Duo lockout for users who have exceeded the failed‑attempt threshold and cannot wait the default 30‑minute auto‑unlock window.

2  Scope & Audience

• Audience: Division of IT Service Desk staff with Help Desk or User Manager rights in the Duo Admin Panel.

• Systems: Duo Security cloud tenant (all integrations).

• Out of Scope: Enrollment issues, device replacement, and the 15‑second Frequent Attempts protection.

3  Prerequisites

Role: Service Desk personnel with permission to change user status (User Manager, Administrator, Owner in Duo).

Access: https://admin.duosecurity.com/login?next=%2F

Lockout message the customer will see:

4  Procedure

1. Verify caller identity. Do NOT proceed without positive verification, primary and secondary verification.

2. Log in to the Duo Admin Panel.

3. In the left navigation, select Users → Users.

4. Search for the user by eID; click the matching record.

5. On the user profile, confirm the banner reads Status: Locked Out (n failed attempts).

6. Click Unlock user (or set Status to Active) and click Save if prompted.

7. Advise the caller:

   • Try logging in again in a new browser/session.

   • If they mistype credentials again three times, the lockout will recur.

8. Document the action in the incident

5  Troubleshooting & Tips

• User insists they’re still locked: Have them close all tabs/windows and start a new sign‑in; status updates on the next authentication attempt.

6  Security Notes

• Never unlock an account without full identity verification.

• Do not modify any other user attributes.

• Report unusual patterns (multiple lockouts for the same user in a short period) to the SIOC.