{"templateId":"markdown","sharedDataIds":{"sidebar":"sidebar-sidebars.yaml"},"props":{"metadata":{"markdoc":{"tagList":["admonition"]},"redocly_category":"Journeys","product":"Identity Management","type":"markdown"},"seo":{"title":"Lock authenticator","description":"Everything about Mosaic Journeys, SDKs, and APIs","siteUrl":"https://developer.transmitsecurity.com/","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"lock-authenticator","__idx":0},"children":["Lock authenticator"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge-wrapper"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Client SDK"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Backend API"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Mobile approve"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["SSO"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"badge"},"children":["Sub-journey"]}]},{"$$mdtype":"Tag","name":"blockquote","attributes":{},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Locks a user's authenticator to prevent authentication"]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"description","__idx":1},"children":["Description"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step locks a specific authenticator for a user, preventing them from using it to authenticate. Locking is useful for temporarily blocking an authenticator when suspicious activity is detected or as part of a security enforcement flow."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Locking is supported for the following authenticator types: passwords, passkeys, mobile biometrics, face authentication, and PIN codes (",{"$$mdtype":"Tag","name":"em","attributes":{},"children":["This functionality is being gradually rolled out across regions and tenants"]},"). TOTP and OTP (email, SMS) authenticators cannot be locked."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["The authenticator to lock is identified by its authenticator ID, which can be retrieved using the \"User Authenticators: User authenticators API\" step or the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/openapi/user/authenticators.openapi/other/userauthenticators"},"children":["User Authenticators API"]},". If the step completes successfully, the authenticator is locked and the journey continues to the next step. If it fails, the journey proceeds to a failure branch (if one is specified); otherwise, the journey is aborted and an error is sent to the client."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["For more about which authenticator types support locking, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/manage_authenticators#manage-authenticator-status"},"children":["Manage user authenticators"]},"."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"configuration","__idx":2},"children":["Configuration"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"table"},"children":[{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Field"},"children":["Field"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["User auth state"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Indicates if the user has authenticated in this journey. If the user is authenticated (default), the user context is provided implicitly by the journey. If not, a user identifier must be configured."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Identifiers"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Only configured if the journey doesn't authenticate the user before invoking this step. Can be an external user ID, email, phone number, username, or a ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/user/manage_user_schema"},"children":["custom identifier"]},", if configured for B2C users in your tenant."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Authenticator ID"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["ID of the authenticator to lock, specified as an expression. Can be retrieved using the \"User Authenticators: User authenticators API\" step or the ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/openapi/user/authenticators.openapi/other/userauthenticators"},"children":["User Authenticators API"]},"."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Lock reason"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Optional reason for locking the authenticator. This value is stored with the lock event and can be used for auditing purposes."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Error output variable"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Name of the variable that stores any errors returned by the step."]}]},{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Failure behavior"]}]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["Determines the behavior in case of failure, which either aborts the journey or proceeds to a failure branch of the control flow (default)."]}]}]}]}]}]},{"$$mdtype":"Tag","name":"Admonition","attributes":{"type":"info","name":"Journey event data"},"children":[{"$$mdtype":"Tag","name":"p","attributes":{},"children":["This step can be configured to record step input and output data, or a custom payload, which is then surfaced in journey events in Journey Analytics for diagnostic purposes. For details, see ",{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/guides/orchestration/getting-started/event_reporting"},"children":["Additional data reporting"]},"."]}]}]},"headings":[{"value":"Lock authenticator","id":"lock-authenticator","depth":1},{"value":"Description","id":"description","depth":2},{"value":"Configuration","id":"configuration","depth":2}],"frontmatter":{"markdown":{"toc":{"depth":2}},"seo":{"title":"Lock authenticator"}},"lastModified":"2026-05-25T11:22:37.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/guides/orchestration/journeys/lock_authenticator","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}