A technique performs user authentication. The technique involves receiving, by processing circuitry, an authentication request which includes a set of authentication factors and which identifies a particular user. The technique further involves performing, by the processing circuitry, an authentication operation to generate an authentication result in response to the authentication request, the authentication result being based on (i) the set of authentication factors of the authentication request, (ii) a user authentication profile which profiles the particular user, and (iii) a lockout state identifying a lockout condition of the particular user which existed at the time of receiving the authentication request. The technique further involves providing, by the processing circuitry and as a response to the authentication request, an authentication action based on the authentication result.