AA's OTP credential status changing to 'EXPIRED' even if the status is already 'LOCKED' (i.e. the user has used all the allowed number of unsuccessful attempts and there by locked out the credential, in which case the user should not be allowed to use the credential either until the credential is manually set to 'ACTIVE' status by helpdesk or the credential is 'auto unlocked' after the set interval if the 'auto unlock' feature is enabled).
Here is the scenario: OTP Profile -> Validity Period is set to 10 minutes
OTP Authentication Policy -> Lockout Credential after - 5 (attempts)
OTP Authentication Policy -> Enable Automatic Credential Unlock - 1 Day
User creates an OTP (via an AFM's SSO/AA flow. At this point OTP status is 'ACTIVE'), uses 5 attempts on this OTP on the OTP entry screen, AFM displays the message "Your OTP Credential in in inactive Status ...." and stops the authentication flow.
At this point the OTP Status is "LOCKED' with 'Number of Failed Attempts' set to 5. Now after 10 minutes, the OTP credential goes from 'LOCKED' status to 'EXPIRED' status ('Number of Failed Attempts' is still set to 5). Now if the user starts the AFM flow again, since the OTP is now in 'EXPIRED' status, the user is allowed to go forward with the flow allowing the creation of OTP even though the user has just 'LOCKED' out the OTP credential by making more than allowed number attempts at entering OTP.
This should not be possible, the user should not be allowed to go forward once the OTP credential is locked, i.e. once OTP credential enters a 'LOCKED' state, that should over ride and should not enter into 'EXPIRED' status even if the validity time period ends, and the status should be kept in that status until it is manually set to 'ACTIVE' status using admin console my an admin / helpdesk personnel or until it is auto unlocked after the set period (in the above mentioned scenario of 1 day auto unlock setting).
Expired status takes precedence than any other credential status.
Release : 9.1
Component : AuthMinder(Arcot WebFort)
Expired status takes precedence over any other credential status, if credential is Deleted/disabled and then it expires, the expiry status will be the one which will be shown because it does not logically make sense to have a Status on a credential when it is expired and that is the reason you see the behavior.
OTP is one time activation code and works differently than other credentials and in this case if you generate a new OTP the credential will become in active state and that is why the flow went ahead. Auto unlock value should always be less than the Validity of the OTP else it will not have much value to add like in this case.
When OTP configuration is of less duration like in this case 10 minutes, having Auto Unlock does not add value as normally we see customers have to wait certain time after it will be enabled and that is normally larger than 10 minutes.
I explained the logical reasoning on this and it seems you have to play around with the configuration and increase the duration of OTP validity or use it as per the above explanation.