# Unlock authenticator

div
div
Client SDK
div
Backend API
div
Mobile approve
div
SSO
div
Sub-journey
> Unlocks a user's authenticator by authenticator ID


## Description

This step unlocks a specific authenticator for a user, allowing them to authenticate with it again. It can be used to reset the lockout state for authenticators that were locked either manually or by a lockout policy.

Unlocking is supported for the following authenticator types: passwords, passkeys, mobile biometrics, face authentication, and PIN codes (*This functionality is being gradually rolled out across regions and tenants*). TOTP and OTP (email, SMS) authenticators cannot be unlocked using this step.

The authenticator to unlock is identified by its authenticator ID, which can be retrieved using the "User Authenticators: User authenticators API" step or the [User Authenticators API](/openapi/user/authenticators.openapi/other/userauthenticators). If the step completes successfully, the lockout state is cleared and the journey continues to the next step. If it fails, the journey proceeds to a failure branch (if one is specified); otherwise, the journey is aborted and an error is sent to the client.

For more about which authenticator types support unlocking, see [Manage user authenticators](/guides/user/manage_authenticators#manage-authenticator-status).

## Configuration

div
| Field | Description |
|  --- | --- |
| **User auth state** | Indicates if the user has authenticated in this journey. If the user is authenticated (default), the user context is provided implicitly by the journey. If not, a user identifier must be configured. |
| **Identifiers** | Only configured if the journey doesn't authenticate the user before invoking this step. Can be an external user ID, email, phone number, username, or a [custom identifier](/guides/user/manage_user_schema), if configured for B2C users in your tenant. |
| **Authenticator ID** | ID of the authenticator to unlock, specified as an expression. Can be retrieved using the "User Authenticators: User authenticators API" step or the [User Authenticators API](/openapi/user/authenticators.openapi/other/userauthenticators). |
| **Error output variable** | Name of the variable that stores any errors returned by the step. |
| **Failure behavior** | Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default). |


Journey event data
This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see [Additional data reporting](/guides/orchestration/getting-started/event_reporting).