Look back at Password Reset AuthN Workflow in the Lockout Gate settings where the lockout duration, lockout threshold, and number of times until permanent lockout are set:
The settings specify that the workflow can fail 3 times. The user can answer one or all of the questions incorrectly, and have the workflow fail once (one failure count):
In our settings, if the workflow fails three times for the same account, the user is temporarily locked out of the SSPR for 15 minutes. This is a service lockout, and not an Active Directory lockout:
After 15 minutes, the user can attempt to answer their questions again. Failing the workflow two more times would equate to the permanent lockout threshold setting of three, and the user would receive the following error when attempting again:
At this point, the only way the user would be able to use SSPR again would be to have someone unlock the SSPR account in MIM. To do this, perform the following steps:
Go to the MIM portal, and click on Administration...