If a user notices unusual activity, they can immediately lock their account. This action requires recovery codes to undo. If the user has not generated recovery codes, they will need to contact an administrator for assistance. This action will also kill all active sessions for the user. PLEASE NOTE, if JWT tokens have been issued for the account, this will not disable them. Always ensure that Access Tokens have reasonable expiration times to avoid issues with locked accounts and live active JWT tokens.