Skip navigation
Three padlocks reading
Product & Engineering

When in Doubt, Lockout

A lot of preventive security technology exists to keep organizations from being breached and having to shift to a reactive focus. Once a threat is detected, it becomes essential to mitigate the risk of a breach, or at least prevent an extended one. Cisco Duo’s unenrolled user lockout and Trust Monitor lockout features enable admins to do just that!

Have you ever been in the middle of cooking a meal with multiple pots going that need to be coordinated in a timely fashion, and the doorbell rings? You wish you could just pause everything, but you know it will affect the outcome of the meal.

Security Operations Center (SOC) operators monitor a variety of inputs to guard their environment like a chef watching his pots. When they detect a threat, they want to pause to take time to investigate. Security lockout in Duo Trust Monitor and unenrolled user lockout enable just that in the authentication security realm.

Trust Monitor security lockout

Duo Trust Monitor is a Duo threat detection feature focused on surfacing valuable and actionable security events to Duo administrators in the admin console. It creates a baseline of normal user and device access behavior by analyzing and modeling Duo authentication data. The feature considers questions like who, what, why, where, and when users access applications.

When admins identify alerts that require further investigation, security lockout allows them to “lock out” user accounts while they research the potential threat. The button to initiate it is easy for the admin to access alongside the pertinent alert all within the trust monitor console.

Screenshot of the Duo admin panel, highlighting the easy-to-find button prompting admins to lock out a user

Unenrolled User Lockout

When a user is onboarded, one of the key steps in their new hire workflow is to enroll their user account to allow them to authenticate, access their company’s applications and begin being productive. Yet, when a user is unable to get to the enrollment expeditiously, for whatever reason, their open invitation becomes a potential vulnerability.

With unenrolled user lockout, administrators may set a global time limit during which the user must complete their enrollment, otherwise their account is locked out. This helps ensure that their account is not left open to the risk of unauthorized enrollment. When a locked-out user calls into the help desk, the admin panel clearly shows the reason for the lockout so the agent can handle each lockout type accordingly. After satisfying the organization’s helpdesk verification procedures, the help desk can easily unlock the user so they can enroll or continue their work.


Unenrolled user lockout and Trust Monitor’s security lockout enable administrators to act to mitigate the risk of a breach when they detect a threat to user accounts in their Enterprise environments.

Check out our Duo Administration documentation on Lockout and Security Events in Trust Monitor to help you protect your environment today!