Users who are locked out of the Forgot My Password interface due to excessive failed question login attempts will not be able to log in to that interface until an administrator unlocks the account, or until the locked user (or a user with appropriate capabilities) changes or resets the user’s password, or until the lock expires.
An administrator can unlock an account if the administrator has administrative control of the user’s member organization, as well as the Unlock User capability.
If a Lock Timeout value is set in the Identity Manager Account Policy, a lock placed on an account will eventually expire. The Lock Timeout value for failed question login attempts is set by the Account lock created by failed question-logins expires in value.
An administrator with appropriate capabilities can perform the following operations on a user in locked state:
Update (including resource reprovisioning)
Change or reset password
Disable or enable
To unlock accounts, select one or more user accounts in the list, and then select Unlock Users from the User Actions or Organization Actions list.